Issue Details (XML | Word | Printable)

Key: GLASSFISH-15687
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Anissa Lam
Reporter: shaline
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
glassfish

Error when admin-listener/SSL and HTTP tabs are clicked with secure-admin-enabled

Created: 25/Jan/11 02:06 PM   Updated: 21/Feb/11 03:44 PM   Resolved: 27/Jan/11 09:29 AM
Component/s: admin_gui
Affects Version/s: 3.1_b38
Fix Version/s: 3.1_b40

Time Tracking:
Not Specified

File Attachments: 1. Text File admingui.patch (14 kB) 26/Jan/11 10:49 PM - Anissa Lam

Environment:

OS: Solaris Sparc 10. Browser firefox 3.6


Tags: 3_1-approved 3_1-verified
Participants: Anissa Lam, shaline and sirajg


 Description  « Hide

GF build. Nightly dated b39-01/25/2011

Enable secure admin in CLI and bring up Console.
Select server-config/Network-Config/Network-listeners/admin-listener
Click on admin-listeners SSL tab.
We get the below Error:
An error has occurred
REST Request 'https://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/pu-protocol/ssl.json' failed with response code '404'.

Click on FileCache Tab: we get
An error has occurred
OPTIONS https://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/pu-protocol/http/file-cache returned a response status of 404

Click on HTTP tab of admin-listener:
we get
HTTP Status 500 -
type Exception report
javax.servlet.ServletException: java.lang.RuntimeException while attempting to process a 'beforeCreate' event for 'event220

The same issue is seen when pu-protocol, and admin-http-redirect protocol is selected and HTTP, and FileCache tabs are clicked for these 2 protocols.



Anissa Lam added a comment - 25/Jan/11 03:57 PM - edited

This is because GUI has decided not to support the lower level Grizzly configuration, like port-unification, protocol-finder etc. when doing the 3.1 planning. Reason being that we don't expect GlassFish user be using that.

<protocol name="pu-protocol">
<port-unification>
<protocol-finder protocol="sec-admin-listener" name="http-finder" classname="com.sun.grizzly.config.HttpProtocolFinder"></protocol-finder>
<protocol-finder protocol="admin-http-redirect" name="admin-http-redirect" classname="com.sun.grizzly.config.HttpProtocolFinder"></protocol-finder>
</port-unification>
<ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname=""></ssl>
</protocol>

<network-listener port="4848" protocol="pu-protocol" transport="tcp" name="admin-listener" thread-pool="admin-thread-pool"></network-listener>

However, it turns out that secure-admin is based on that. Thats why, when you go to the HTTP or FileCache tab for the admin-listener, you are seeing the exception.

We will not be able to support the configuration of admin-listener when secure-admin is on. It is too late to add any of the feature now.
We will either hide the HTTP or File Cache tab or print out the msg for user to use CLI to configure admin-listener instead of using GUI.


Anissa Lam added a comment - 26/Jan/11 10:48 PM

How bad is its impact? (Severity)
Pretty secure as we are seeing exception on screen.

How often does it happen? (Frequency)
Whenever secure-admin is turned on, and use goes to the edit admin-listener or the new protcol thats created due to secure-admin.

How much effort is required to fix it? (Cost)
1-1/2 days

What is the risk of fixing it? (Risk)
we are just hiding the tabs, really not changing any of the logic. So, it is very easy to see if the change is working correctly.

Does a work around for the issue exist? Can the workaround be reasonably employed by the end user?
No workaround.

If the issue is not fixed should the issue and its workaround (if applicable) be described in the Release Notes?
Probably won't help. User will just see the exception on screen. No work around for them anyway.


Anissa Lam added a comment - 26/Jan/11 10:49 PM

I have made the following changes, the patch attached.

  • when init Session Attribute, test if secure-admin is enabled, and save that in the sessionMap since we will need this often.
  • When edit Network Listener, If secure-admin is turned on, then test if the name of this listener is the one specified for the Virtual Server __asadmin. If it is, the following will happen:
  • SSL Tab, HTTP Tab and FileCache will be hidden.
  • When edit Protocol, Test if secure-admin is turned on, and this protocol is the one used by the listener of the the virtual server, __asadmin'. If it is, the following will happen:
  • SSL Tab, HTTP Tab and FileCache Tab will be hidden.
  • Save Button will be disabled. We don't want user to change the secure-enable setting for this protocol.
  • These 2 additional protocol will also behave as above, "sec-admin-listener' and 'admin-http-redirect'. Right now, it is hardcoded to these 2 names, since user will not be able to change this easily. In 3.2, we may want to revisit if we decide to support the other grizzly config element.

Since I need to enable/disable the Save button, I just have the button in the jsf page, instead of including editPageButtons.inc from /common/share. It is pretty straight forward.

I have ran the NetworkConfigTest devtest (although very limited now) for both case: enable/disable secure admin, and the 3 tests pass.


sirajg added a comment - 27/Jan/11 09:05 AM

In common/src/main/java/org/glassfish/admingui/common/util/GuiUtil.java
instead of "true".equals(secureAdminAttrs.get("enabled"))))
better to use proper boolean comparision
Otherwise changes look good.


Anissa Lam added a comment - 27/Jan/11 09:29 AM

thanks Siraj for reviewing. The line is changed to
if (Boolean.parseBoolean((String)secureAdminAttrs.get("enabled"))).

Fix checked in.

Project: glassfish
Repository: svn
Revision: 44742
Author: anilam
Date: 2011-01-27 17:22:01 UTC
Link:

Log Message:
------------
GLASSFISH-15687. Do not allow editing for the auto-created protocol and admin-listener when secure-admin is enabled.
The change include:

  • when init Session Attribute, test if secure-admin is enabled, and save that in the sessionMap since we will need this often
  • the SSL tab, HTTP tab and File Cache tab will not be displayed accordingly.
  • the Save button will not be enable for those protocols and admin-listener.

Approve: Anissa
Reviewer: Siraj.

Revisions:
----------
44742

Modified Paths:
---------------
trunk/v3/admingui/common/src/main/java/org/glassfish/admingui/common/util/GuiUtil.java
trunk/v3/admingui/web/src/main/resources/grizzly/protocolEdit.jsf
trunk/v3/admingui/web/src/main/resources/grizzly/protocolTabs.inc
trunk/v3/admingui/web/src/main/resources/grizzly/networkListenerEdit.jsf
trunk/v3/admingui/web/src/main/resources/grizzly/listenerTabs.inc


shaline added a comment - 10/Feb/11 02:32 PM

Verified in b42 nightly dated 02-09-2011