glassfish
  1. glassfish
  2. GLASSFISH-14988

Can not browse to the REST URL with hostname

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1_dev
    • Fix Version/s: 3.1_dev
    • Component/s: security
    • Labels:
      None
    • Environment:

      Solaris 10, Sparc with Firefox 3.6.10.

      Description

      Install glassfish, start domain, and browse to the REST URL, example: http://myhost.us.oracle.com:4848/monitoring/domain/

      "Authentication Required" popup dialog is displayed. The pop up asks for username and password. Authentication fails with default Username = "admin", password = <blank>.

      This is a regression - compared to the previous promoted build.

      Serer Log displays:

      =========================

      [#|2010-12-03T15:02:13.728-0800|INFO|oracle-glassfish3.1|javax.enterprise.system.tools.admin.com.sun.enterprise.container.common|_ThreadID=124;_ThreadName=admin-thread-pool-4848(1);|Remote admin log-in attempt from host inet-hqmc01-i.oracle.com with username "admin" rejected because secure admin is disabled|#]

      =========================

      Workaround: Enable secure admin, and restart DAS.

        Activity

        Hide
        Mitesh Meswani added a comment -

        Tim,

        Assigning to you initially to complete discussion on following...

        Following is from GenericAdminAuthenticator#loginAsAdmin(...). The code seems to suggest that we do not want to allow any access from remote host to DAS if secure admin is disabled. Shouldn't it allow at least AdminAccessController.Access.MONITORING?

        [1] GenericAdminAuthenticator#loginAsAdmin(...)
        {
        ....

        if ( ! NetUtils.isThisHostLocal(originHost) &&
        ! SecureAdmin.Util.isEnabled(secureAdmin) ) {
        logger.log(Level.INFO,
        lsm.getLocalString("remote.login.while.secure.admin.disabled",
        "Remote admin log-in attempt from host

        {0}

        with username \"

        {1}

        \" rejected because secure admin is disabled",
        originHost, user));
        return AdminAccessController.Access.NONE;
        }
        ....

        }

        Show
        Mitesh Meswani added a comment - Tim, Assigning to you initially to complete discussion on following... Following is from GenericAdminAuthenticator#loginAsAdmin(...). The code seems to suggest that we do not want to allow any access from remote host to DAS if secure admin is disabled. Shouldn't it allow at least AdminAccessController.Access.MONITORING? [1] GenericAdminAuthenticator#loginAsAdmin(...) { .... if ( ! NetUtils.isThisHostLocal(originHost) && ! SecureAdmin.Util.isEnabled(secureAdmin) ) { logger.log(Level.INFO, lsm.getLocalString("remote.login.while.secure.admin.disabled", "Remote admin log-in attempt from host {0} with username \" {1} \" rejected because secure admin is disabled", originHost, user)); return AdminAccessController.Access.NONE; } .... }
        Hide
        Tim Quinn added a comment -

        I have a fix in my local workspace and am testing it.

        I tested http://host:4848/__asadmin/[command]

        and http://host:4848/monitoring/domain

        and both are now giving the correct responses.

        Show
        Tim Quinn added a comment - I have a fix in my local workspace and am testing it. I tested http://host:4848/__asadmin/[command ] and http://host:4848/monitoring/domain and both are now giving the correct responses.
        Hide
        Tim Quinn added a comment -

        Fix checked in.

        roject: glassfish
        Repository: svn
        Revision: 43457
        Author: tjquinn
        Date: 2010-12-05 01:07:00 UTC
        Link:

        Log Message:
        ------------
        Fix for 14988

        The authentication logic was incorrectly rejecting monitoring-only access from remote clients.

        Tests: QL, manual asadmin and REST via browser tests

        Revisions:
        ----------
        43457

        Modified Paths:
        ---------------
        trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java
        trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties
        trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java

        Show
        Tim Quinn added a comment - Fix checked in. roject: glassfish Repository: svn Revision: 43457 Author: tjquinn Date: 2010-12-05 01:07:00 UTC Link: Log Message: ------------ Fix for 14988 The authentication logic was incorrectly rejecting monitoring-only access from remote clients. Tests: QL, manual asadmin and REST via browser tests Revisions: ---------- 43457 Modified Paths: --------------- trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java
        Hide
        Harshad Vilekar added a comment -

        Verified: 3.1 b 40.

        Show
        Harshad Vilekar added a comment - Verified: 3.1 b 40.

          People

          • Assignee:
            Tim Quinn
            Reporter:
            Harshad Vilekar
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: