Hi,
What are your thoughts on standardizing password aliasing in Java EE?
The feature was originally proposed in EE 7:
[
https://java.net/projects/javaee-security-spec/downloads/download/password-aliasing-ee7-proposal.pdf]
And mentioned in this JIRA:
[
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-6]
I think it was deferred out of EE 7 because of time constraints. When I
think about what may be involved, perhaps this should be in its own JSR:
alias scanning, archive format, deployment mechanism,
encryption/decryption, and lots of opportunity for vulnerabilities.
But what do you think? Should we standardize password aliasing to
promote portability? 57.9% of EE 8 Survey respondents said yes to
"Should we add support for password aliases (including the ability to
provision
credentials along with the application)?"
Thanks,
Alex