Hi Christian,
Thanks for your post. More below.....
On 11/17/2011 10:12 AM, schaarsc_at_gmx.de wrote:
> Dear javaee-spec,
>
> I read the "Resource Configuration" document provided on the download
> page. I'm missing two aspect in the resource-configured-by-application
> discussion:
>
> 1) How can a PAAS admin protect its infrastructure?
> let's use a DB-res as example. I think it would make sense if a PAAS
> admin could configure some restrictions on the resource descriptions
> shipped with applications.
>
> for example: the max-pool-size has to be between 1 and 100, to avoid
> problems with the database if someone configures max-pool-size=1000000
>
Yes -- that is our expectation. This was noted in the followup email on
metadata that I sent to the group on 10/13, and we intend to make this point
explicit in the spec.
> other example: name has to start with java:app/jdbc, to avoid access to
> other JNDI names outside the application
>
Our expectation here is that access to the JNDI name space will scoped per tenant.
Which example are you referring to?
> 2) How to protect passwords?
> If a configuration requires a password in order to create a resource.
> How can the password be protected? (at least a little bit) My guess is
> that resource-config-descriptors will end up in SVN or git
> repositories.
> Storing clear text passwords in repositories is not a good idea.
> GF has the concept of pwd-aliases to avoid clear text pwd in config
> files. other application servers replace clear text with encrypted pwd
> on the fly. This it not standardized and will make it hard to move
> applications from one PAAS offering to the next.
>
We agree with you. We don't expect passwords to be used in this manner
in production systems. However, they may be useful in development mode
and in testing locally, etc.
> What do you think? Would it make sense to describe these issues in the
> spec?
>
Yes. We plan to do so.
regards,
-Linda
> Regards
> Christian