Hi Neven,

thanks for your work !

I had the change to have a look at your code. Looks good, have some comments, though:

I already have a Base64 decoding in AuthorizationHeaderParser in the OSGi package. I extracted this, added a encode() and put it into a Base64Util on master, so you can easily reuse it.
For the CLI API: I would make encode a pure command, not an option. So its on the same footstep as start,stop,toggle. This would also help with the parsing problem, because no parsing is required at all, if we use delimiters which are not starting with -. I suggest to use {{ ... }} as delimiters (in order to allow people to have plain passwords starting with {). Makes it bit more safe and cleare that its a encoded/crypted password.
It would be cool, when the command encode is given and no further argument that then also the standard input is read so that it could be put into a shell pipeline. E.g.

java -jar jolokia.jar encode s3cr3t
curl https://pw.intranet/jolokia-pwd | java -jar jolokia.jar encode

I think that would give this feature a nice touch (but of course is not mandatory)

Personally I wouldn't put the jolokia 'master' password into a textfile below /META-INF. The reason is, that this encryption feature obviously only helps in avoiding accidental spoofing. Since Jolokia needs to decrypt the keystore password, it must have the symmetrically keysomewhere in its jar. It shouldn't be to easy to read this password, putting it into a textfile needs only a jar xvf to get to this master password. Since it is also only used internally I would keep it into a constant within the code. So you would need in addition a decompiler to get to the code. Yes, nothing is really secure here and we need to take care to keep this master password stable across releases. It's only about not to make it too easy. Ok, if you want to individualize the master password, what about checking for this property file and, if not existant, take the internal, default one. And by default we don't deliver such a pw file.

Protect keystorePassword in case https is used #164

Description