Seems to me the weakest link in the security chain usually comes back to passwords (keystore private key password for example).
I'm using JAAS in my web app, and it appears I can't use the users password if I want to also hash store their passwords.
Also it's a bad idea to stick passwords in java class files because they are relatively easy to extract.
I was wondering about specifying a "root" password at startup time, on the command line, ideally setting a JNDI env entry, which can then be looked up by the relevant class (only).
Can anyone comment on the pros and cons of this idea?
1) Don't know JNDI is particularly secure - like any class can read any section of JNDI?
2) Don't know how to set JNDI settings from jboss run command (they're not the same as system properties after all)
3) Guess I could use a separate app, but that would imply 1) was a problem.
Any input gratefully received