Personally, I think this JSR should initiate this work but it should
probably ultimately be handled at the platform JSR level. That being
said, I am not sure where this falls in terms of priorities. Perhaps
this should be tackled after higher priority issues make some more progress?
On 3/23/2015 4:48 PM, Alex Kosowski wrote:
> Any opinion on Password Aliasing in the Security API JSR?
>
> On 3/20/15 11:52 AM, Alex Kosowski wrote:
>> Hi,
>>
>> What are your thoughts on standardizing password aliasing in Java EE?
>>
>> The feature was originally proposed in EE 7:
>> [https://java.net/projects/javaee-security-spec/downloads/download/password-aliasing-ee7-proposal.pdf]
>>
>> And mentioned in this JIRA:
>> [https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-6]
>>
>> I think it was deferred out of EE 7 because of time constraints. When
>> I think about what may be involved, perhaps this should be in its own
>> JSR: alias scanning, archive format, deployment mechanism,
>> encryption/decryption, and lots of opportunity for vulnerabilities.
>>
>> But what do you think? Should we standardize password aliasing to
>> promote portability? 57.9% of EE 8 Survey respondents said yes to
>> "Should we add support for password aliases (including the ability to
>> provision
>> credentials along with the application)?"
>>
>> Thanks,
>> Alex