[jbosstools-dev] Secure Storage default password dialog

phantomjinx p.g.richardson at phantomjinx.co.uk
Wed Feb 13 04:08:31 EST 2013 

On 02/12/2013 07:01 PM, Max Rydahl Andersen wrote:
> 
>> Assuming install of teiid tools (but not intending to use it), creation of a jboss server will cause
>> the adapter to try and create a TeiidServer model and add it to TeiidServerManager. At shutdown,
>> that server's settings will be stored in the XML file. Likewise, on loading that server's settings
>> will be restored accordingly.
> 
> Yikes - I hope such a TeiidServerManager has no big overhead ? Having to load Teiid plugins just because
> a server is created is not good.

The TeiidServer model in the designer plugins is a proxy for the real Teiid Server installed in
JBoss. If the latter
does not have teiid installed then a TeiidServer model will never be created. So the overhead should
be quite small.

>> As I say, not ideal due to the duplication of the server settings between jboss and the
>> TeiidServerManager. However, I cannot really justify getting rid of it until the next dev cycle...
> 
> Any chance it could at least not expose these secure passwords when Teiid is *not* used ? 

Passwords are not exposed as they are stored in secure storage and never added to the XML file.

> /max
> 
>>
>> Thanks for your time on this.
>>
>> Cheers
>>
>> PGR
>>
>>
>> On 02/11/2013 06:16 PM, Max Rydahl Andersen wrote:
>>>
>>>> It is likely that some work could be done here as the current code is built on the concepts of
>>>> teiid's admin being on a separate port to that of jboss admin (teiid 7.7.x and jboss 5). Only in
>>>> teiid 8.x and so Designer 8.x does the jboss admin password and port get used.
>>>
>>> oooh - didn't consider this was also for previous JBoss versions - yes for those servers it would happen/be needed.
>>>
>>>> However, the password and port are still taken from the jboss settings and passed to a Teiid
>>>> AdminFactory, which in turn creates a proxy of the teiid Admin interface. Whether it is necessary
>>>> for this interface to still require the password, is better answered by the Teiid guys.
>>>
>>> hmm - so you are using some other interface...most likely the "pure" http version which does not support
>>> connecting locally without username/passwords ;(
>>>
>>>> Incidentally, the teiid server settings are stored separately as an historic consequence of the
>>>> TeiidServerManaager being saved to XML.
>>>
>>>> This should be removed but at the moment is too large a
>>>> change for this development cycle. The upshot is that remove/local does not matter, as the secure
>>>> storage password dialog is displayed.
>>>
>>> Hmm - thats not great. We moved to secure storage for the server adapter since we had a security concern reported to us.
>>>
>>> Is this username/password managed by TeiidServerManager a pure eclipse tooling thing ? Is it only stored if you actually
>>> use the teiid tools or does it happen just by having the teiid tools installed ?
>>>
>>> /max
>>>
>>>>
>>>> Thx
>>>>
>>>> PGR
>>>>
>>>>
>>>> On 02/11/2013 03:41 PM, Max Rydahl Andersen wrote:
>>>>>> I take your points so considering an alternative that will address the deficiencies of the current
>>>>>> implementation. One point to address though ...
>>>>>>
>>>>>>> Btw. from what I can tell this dialog will only show up *once* per machine and only when using Linux and in context of teiid/server adapter only if your server is remote (i.e. it won't 
>>>>>>> need to ask when using local servers)
>>>>>>
>>>>>> The dialog (on linux) will always appear at the start of the session asking for the secure storage
>>>>>> password, due to the teiid runtime client needing the admin password for communication with the
>>>>>> teiid server.
>>>>>
>>>>> Doesn't Teiid use the connection jboss server adapter creates ? Thus teiid should not need this unless the Teiid server is remote, right?
>>>>>
>>>>> Thus this issue (at least from Teiid perspective) is only for Linux with the Teiid server being remote, right?
>>>>>
>>>>>> Looking into the fragment issue, it seems eclipse defies its own extension by using a fragment for
>>>>>> windows and macosx. The extension point provides a priority so that multiple password providers can
>>>>>> be offered yet the fragment does not use it. So ...
>>>>>>
>>>>>> I could separate out my code into a linux-only fragment, and remove the specific references to JBoss
>>>>>> and Teiid in the dialog messages, thereby 'genericising' it. This would ensure that those users
>>>>>> running linux, who are the only ones to see it, would get a dialog with much more information
>>>>>> regarding what the password is for - the primary purpose of overriding the dialog in the first place.
>>>>>
>>>>> This sounds like a plausible idea.
>>>>>
>>>>> /max
>>>>>
>>>>
>>>> -- 
>>>> Paul Richardson
>>>>
>>>> * p.g.richardson at phantomjinx.co.uk
>>>> * p.g.richardson at redhat.com
>>>> * pgrichardson at linux.com
>>>>
>>>> "I know exactly who reads the papers ...
>>>>
>>>> * The Daily Mirror is read by people who think they run the country.
>>>> * The Guardian is read by people who think they ought to run the country.
>>>> * The Times is read by people who do actually run the country.
>>>> * The Daily Mail is read by the wives of the people who run the country.
>>>> * The Financial Times is read by the people who own the country.
>>>> * The Morning Star is read by the people who think the country ought to be run by another country.
>>>> * The Daily Telegraph is read by the people who think it is."
>>>>
>>>> Jim Hacker, Yes Minister
>>>>
>>>
>>
>> -- 
>> Paul Richardson
>>
>>  * p.g.richardson at phantomjinx.co.uk
>>  * p.g.richardson at redhat.com
>>  * pgrichardson at linux.com
>>
>> "I know exactly who reads the papers ...
>>
>>  * The Daily Mirror is read by people who think they run the country.
>>  * The Guardian is read by people who think they ought to run the country.
>>  * The Times is read by people who do actually run the country.
>>  * The Daily Mail is read by the wives of the people who run the country.
>>  * The Financial Times is read by the people who own the country.
>>  * The Morning Star is read by the people who think the country ought to be run by another country.
>>  * The Daily Telegraph is read by the people who think it is."
>>
>> Jim Hacker, Yes Minister
>>
> 

-- 
Paul Richardson

  * p.g.richardson at phantomjinx.co.uk
  * p.g.richardson at redhat.com
  * pgrichardson at linux.com

"I know exactly who reads the papers ...

  * The Daily Mirror is read by people who think they run the country.
  * The Guardian is read by people who think they ought to run the country.
  * The Times is read by people who do actually run the country.
  * The Daily Mail is read by the wives of the people who run the country.
  * The Financial Times is read by the people who own the country.
  * The Morning Star is read by the people who think the country ought to be run by another country.
  * The Daily Telegraph is read by the people who think it is."

Jim Hacker, Yes Minister

More information about the jbosstools-dev mailing list