jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: [JAVAEE_SECURITY_SPEC-6] Password Aliasing - is it necessary?

From: Darran Lofthouse <darran.lofthouse_at_redhat.com>
Date: Tue, 31 Mar 2015 16:25:28 +0100

IMO this is potentially a large topic and should actually be bigger than
just aliasing of passwords, as I have said elsewhere we need to stop
thinking purely in-terms of a username and passwords.

Take the example in the linked PDF: -

@DataSourceDefinition(
  name="java:app/jdbc/test",
  className="com.mysql.jdbc.jdbc2.optional.MysqlDataSource",
  user="root",
  password="${ALIAS=password}",
  databaseName="test",
  serverName="localhost",
  portNumber=3306 )

This covers the situation quite nicely where the database is configured
to support username and password based authentication but is quickly
inadequate when another mechanism is needed e.g. Kerberos.

Overall what I actually believe is needed is that when the application
server is acting as a client to some remote process a standard mechanism
needs to be supplied to specify how that identity is obtained. This
identity could be a username / password pairing or it could be something
entirely different such as a Kerberos ticket, maybe better integration
with various SSO specs, considerations for propagating the users identity...

Obviously none of this negates the need for secure storage and
management of that storage where sensitive passwords are held but as I
say I think identity aliasing is something that should happen first.

Regards,
Darran Lofthouse.



On 23/03/15 20:48, Alex Kosowski wrote:
> Any opinion on Password Aliasing in the Security API JSR?
>
> On 3/20/15 11:52 AM, Alex Kosowski wrote:
>> Hi,
>>
>> What are your thoughts on standardizing password aliasing in Java EE?
>>
>> The feature was originally proposed in EE 7:
>> [https://java.net/projects/javaee-security-spec/downloads/download/password-aliasing-ee7-proposal.pdf]
>>
>>
>> And mentioned in this JIRA:
>> [https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-6]
>>
>> I think it was deferred out of EE 7 because of time constraints. When
>> I think about what may be involved, perhaps this should be in its own
>> JSR: alias scanning, archive format, deployment mechanism,
>> encryption/decryption, and lots of opportunity for vulnerabilities.
>>
>> But what do you think? Should we standardize password aliasing to
>> promote portability? 57.9% of EE 8 Survey respondents said yes to
>> "Should we add support for password aliases (including the ability to
>> provision
>> credentials along with the application)?"
>>
>> Thanks,
>> Alex
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.