Any opinion on Password Aliasing in the Security API JSR?
On 3/20/15 11:52 AM, Alex Kosowski wrote:
> Hi,
>
> What are your thoughts on standardizing password aliasing in Java EE?
>
> The feature was originally proposed in EE 7:
> [https://java.net/projects/javaee-security-spec/downloads/download/password-aliasing-ee7-proposal.pdf]
>
> And mentioned in this JIRA:
> [https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-6]
>
> I think it was deferred out of EE 7 because of time constraints. When
> I think about what may be involved, perhaps this should be in its own
> JSR: alias scanning, archive format, deployment mechanism,
> encryption/decryption, and lots of opportunity for vulnerabilities.
>
> But what do you think? Should we standardize password aliasing to
> promote portability? 57.9% of EE 8 Survey respondents said yes to
> "Should we add support for password aliases (including the ability to
> provision
> credentials along with the application)?"
>
> Thanks,
> Alex