Dear javaee-spec,
I read the "Resource Configuration" document provided on the download
page. I'm missing two aspect in the resource-configured-by-application
discussion:
1) How can a PAAS admin protect its infrastructure?
let's use a DB-res as example. I think it would make sense if a PAAS
admin could configure some restrictions on the resource descriptions
shipped with applications.
for example: the max-pool-size has to be between 1 and 100, to avoid
problems with the database if someone configures max-pool-size=1000000
other example: name has to start with java:app/jdbc, to avoid access to
other JNDI names outside the application
2) How to protect passwords?
If a configuration requires a password in order to create a resource.
How can the password be protected? (at least a little bit) My guess is
that resource-config-descriptors will end up in SVN or git
repositories.
Storing clear text passwords in repositories is not a good idea.
GF has the concept of pwd-aliases to avoid clear text pwd in config
files. other application servers replace clear text with encrypted pwd
on the fly. This it not standardized and will make it hard to move
applications from one PAAS offering to the next.
What do you think? Would it make sense to describe these issues in the
spec?
Regards
Christian