To clarify this a bit more - is it possible to define the connection to a keystore with JCA?
If you write the jca adaptor you can. We have no jca adaptor which performs this function.
The problem I see is that the keystore API doesn't deal with principals. Am I missing something? I can't believe this is a unique problem.
The keystore deals with string aliases. Using the Principal.getName() as the alias in the keystore solves this.
Sorry - when I said Principal, I was refering to it as an authenticated entity, thus negating the need for a password in Keystore.getKey() method.
However, I'm starting to think it's not such a good idea anyway, because all someone would have to do, to get a key from the store would be to do a simple authentication module - produce the Principal and steal the key from the store.
I wonder what the standard solution to this problem is - I want JAAS auth because I thought it was the "blessed" solution from Sun et al, but I'm still stuck with other passwords for PBE or secret key access.... frustrating.
All the technical stuff I've read, seems to avoid this issue. It's no good embedding passwords in java classes as they can be extracted with decompilation.
Is it secure to pass at least singular passwords into JBoss as a system property?
I suppose a "signed" Principal would be good - signed by the login module, and the keystore has the public key of the login module, but then I'm back to the problem of securing the login module's private key., Plus the container would have to understand the "signed" Principal, so that idea doesn't fly :-(