Issue Details (XML | Word | Printable)

Key: GLASSFISH-14988
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Tim Quinn
Reporter: Harshad Vilekar
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
glassfish

Can not browse to the REST URL with hostname

Created: 03/Dec/10 04:03 PM   Updated: 03/Feb/11 03:43 PM   Resolved: 04/Dec/10 05:07 PM
Component/s: security
Affects Version/s: 3.1_b31
Fix Version/s: 3.1_b32

Time Tracking:
Not Specified

Environment:

Solaris 10, Sparc with Firefox 3.6.10.


Tags: 3_1-regression
Participants: Harshad Vilekar, Mitesh Meswani and Tim Quinn


 Description  « Hide

Install glassfish, start domain, and browse to the REST URL, example: http://myhost.us.oracle.com:4848/monitoring/domain/

"Authentication Required" popup dialog is displayed. The pop up asks for username and password. Authentication fails with default Username = "admin", password = <blank>.

This is a regression - compared to the previous promoted build.

Serer Log displays:

=========================

[#|2010-12-03T15:02:13.728-0800|INFO|oracle-glassfish3.1|javax.enterprise.system.tools.admin.com.sun.enterprise.container.common|_ThreadID=124;_ThreadName=admin-thread-pool-4848(1);|Remote admin log-in attempt from host inet-hqmc01-i.oracle.com with username "admin" rejected because secure admin is disabled|#]

=========================

Workaround: Enable secure admin, and restart DAS.



Mitesh Meswani added a comment - 03/Dec/10 04:11 PM

Tim,

Assigning to you initially to complete discussion on following...

Following is from GenericAdminAuthenticator#loginAsAdmin(...). The code seems to suggest that we do not want to allow any access from remote host to DAS if secure admin is disabled. Shouldn't it allow at least AdminAccessController.Access.MONITORING?

[1] GenericAdminAuthenticator#loginAsAdmin(...)
{
....

if ( ! NetUtils.isThisHostLocal(originHost) &&
! SecureAdmin.Util.isEnabled(secureAdmin) ) {
logger.log(Level.INFO,
lsm.getLocalString("remote.login.while.secure.admin.disabled",
"Remote admin log-in attempt from host {0} with username \"{1}\" rejected because secure admin is disabled",
originHost, user));
return AdminAccessController.Access.NONE;
}
....

}


Tim Quinn added a comment - 04/Dec/10 04:20 PM

I have a fix in my local workspace and am testing it.

I tested http://host:4848/__asadmin/[command]

and http://host:4848/monitoring/domain

and both are now giving the correct responses.


Tim Quinn added a comment - 04/Dec/10 05:07 PM

Fix checked in.

roject: glassfish
Repository: svn
Revision: 43457
Author: tjquinn
Date: 2010-12-05 01:07:00 UTC
Link:

Log Message:
------------
Fix for 14988

The authentication logic was incorrectly rejecting monitoring-only access from remote clients.

Tests: QL, manual asadmin and REST via browser tests

Revisions:
----------
43457

Modified Paths:
---------------
trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java
trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties
trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java


Harshad Vilekar added a comment - 03/Feb/11 03:43 PM

Verified: 3.1 b 40.