Analysis

Summary

The current KeyManager definition in Elytron requires to specify password for decrypting KeyStore items. Legacy PicketBox implementations didn't required to specify this password - when not specified, password for decrypting whole KeyStore was used. We would like to achieve the same behavior in Elytron. That is not simple, because KeyStore and KeyManager are two different resources here and would be unpleasant to allow client code to obtain the password.

Requirements

• Should be possible to define KeyManager without specifying password - password would be obtained from KeyStore definition.
• Client code should not be able to obtain KeyStore password.

General

Tracking Issues

Issue raising the requirement - WFCORE-3075

Developer Resources

Possible solution 1

To wrap KeyStore by Elytron-specific interface PasswordProvidingKeyStore, which would allow to obtain password from KeyStore object obtained from capability. There could be added permission check - ElytronPermission("getKeyStorePassword") would be required to obtain KeyStore password.

Disadvantage: To be consistent we should check permission through security manager - which would not work with security manager disabled. (But still possible to call AccessController instead and check permission without security manager too...)

Developer Contacts

Jan Kalina - jkalina@redhat.com