glassfish
  1. glassfish
  2. GLASSFISH-15687

Error when admin-listener/SSL and HTTP tabs are clicked with secure-admin-enabled

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 3.1_b38
    • Fix Version/s: 3.1_b40
    • Component/s: admin_gui
    • Labels:
      None
    • Environment:

      OS: Solaris Sparc 10. Browser firefox 3.6

      Description

      GF build. Nightly dated b39-01/25/2011

      Enable secure admin in CLI and bring up Console.
      Select server-config/Network-Config/Network-listeners/admin-listener
      Click on admin-listeners SSL tab.
      We get the below Error:
      An error has occurred
      REST Request 'https://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/pu-protocol/ssl.json' failed with response code '404'.

      Click on FileCache Tab: we get
      An error has occurred
      OPTIONS https://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/pu-protocol/http/file-cache returned a response status of 404

      Click on HTTP tab of admin-listener:
      we get
      HTTP Status 500 -
      type Exception report
      javax.servlet.ServletException: java.lang.RuntimeException while attempting to process a 'beforeCreate' event for 'event220

      The same issue is seen when pu-protocol, and admin-http-redirect protocol is selected and HTTP, and FileCache tabs are clicked for these 2 protocols.

        Activity

        Hide
        Anissa Lam added a comment - - edited

        This is because GUI has decided not to support the lower level Grizzly configuration, like port-unification, protocol-finder etc. when doing the 3.1 planning. Reason being that we don't expect GlassFish user be using that.

        <protocol name="pu-protocol">
        <port-unification>
        <protocol-finder protocol="sec-admin-listener" name="http-finder" classname="com.sun.grizzly.config.HttpProtocolFinder"></protocol-finder>
        <protocol-finder protocol="admin-http-redirect" name="admin-http-redirect" classname="com.sun.grizzly.config.HttpProtocolFinder"></protocol-finder>
        </port-unification>
        <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname=""></ssl>
        </protocol>

        <network-listener port="4848" protocol="pu-protocol" transport="tcp" name="admin-listener" thread-pool="admin-thread-pool"></network-listener>

        However, it turns out that secure-admin is based on that. Thats why, when you go to the HTTP or FileCache tab for the admin-listener, you are seeing the exception.

        We will not be able to support the configuration of admin-listener when secure-admin is on. It is too late to add any of the feature now.
        We will either hide the HTTP or File Cache tab or print out the msg for user to use CLI to configure admin-listener instead of using GUI.

        Show
        Anissa Lam added a comment - - edited This is because GUI has decided not to support the lower level Grizzly configuration, like port-unification, protocol-finder etc. when doing the 3.1 planning. Reason being that we don't expect GlassFish user be using that. <protocol name="pu-protocol"> <port-unification> <protocol-finder protocol="sec-admin-listener" name="http-finder" classname="com.sun.grizzly.config.HttpProtocolFinder"></protocol-finder> <protocol-finder protocol="admin-http-redirect" name="admin-http-redirect" classname="com.sun.grizzly.config.HttpProtocolFinder"></protocol-finder> </port-unification> <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname=""></ssl> </protocol> <network-listener port="4848" protocol="pu-protocol" transport="tcp" name="admin-listener" thread-pool="admin-thread-pool"></network-listener> However, it turns out that secure-admin is based on that. Thats why, when you go to the HTTP or FileCache tab for the admin-listener, you are seeing the exception. We will not be able to support the configuration of admin-listener when secure-admin is on. It is too late to add any of the feature now. We will either hide the HTTP or File Cache tab or print out the msg for user to use CLI to configure admin-listener instead of using GUI.
        Hide
        Anissa Lam added a comment -

        How bad is its impact? (Severity)
        Pretty secure as we are seeing exception on screen.

        How often does it happen? (Frequency)
        Whenever secure-admin is turned on, and use goes to the edit admin-listener or the new protcol thats created due to secure-admin.

        How much effort is required to fix it? (Cost)
        1-1/2 days

        What is the risk of fixing it? (Risk)
        we are just hiding the tabs, really not changing any of the logic. So, it is very easy to see if the change is working correctly.

        Does a work around for the issue exist? Can the workaround be reasonably employed by the end user?
        No workaround.

        If the issue is not fixed should the issue and its workaround (if applicable) be described in the Release Notes?
        Probably won't help. User will just see the exception on screen. No work around for them anyway.

        Show
        Anissa Lam added a comment - How bad is its impact? (Severity) Pretty secure as we are seeing exception on screen. How often does it happen? (Frequency) Whenever secure-admin is turned on, and use goes to the edit admin-listener or the new protcol thats created due to secure-admin. How much effort is required to fix it? (Cost) 1-1/2 days What is the risk of fixing it? (Risk) we are just hiding the tabs, really not changing any of the logic. So, it is very easy to see if the change is working correctly. Does a work around for the issue exist? Can the workaround be reasonably employed by the end user? No workaround. If the issue is not fixed should the issue and its workaround (if applicable) be described in the Release Notes? Probably won't help. User will just see the exception on screen. No work around for them anyway.
        Hide
        Anissa Lam added a comment -

        I have made the following changes, the patch attached.

        • when init Session Attribute, test if secure-admin is enabled, and save that in the sessionMap since we will need this often.
        • When edit Network Listener, If secure-admin is turned on, then test if the name of this listener is the one specified for the Virtual Server __asadmin. If it is, the following will happen:
        • SSL Tab, HTTP Tab and FileCache will be hidden.
        • When edit Protocol, Test if secure-admin is turned on, and this protocol is the one used by the listener of the the virtual server, __asadmin'. If it is, the following will happen:
        • SSL Tab, HTTP Tab and FileCache Tab will be hidden.
        • Save Button will be disabled. We don't want user to change the secure-enable setting for this protocol.
        • These 2 additional protocol will also behave as above, "sec-admin-listener' and 'admin-http-redirect'. Right now, it is hardcoded to these 2 names, since user will not be able to change this easily. In 3.2, we may want to revisit if we decide to support the other grizzly config element.

        Since I need to enable/disable the Save button, I just have the button in the jsf page, instead of including editPageButtons.inc from /common/share. It is pretty straight forward.

        I have ran the NetworkConfigTest devtest (although very limited now) for both case: enable/disable secure admin, and the 3 tests pass.

        Show
        Anissa Lam added a comment - I have made the following changes, the patch attached. when init Session Attribute, test if secure-admin is enabled, and save that in the sessionMap since we will need this often. When edit Network Listener, If secure-admin is turned on, then test if the name of this listener is the one specified for the Virtual Server __asadmin. If it is, the following will happen: SSL Tab, HTTP Tab and FileCache will be hidden. When edit Protocol, Test if secure-admin is turned on, and this protocol is the one used by the listener of the the virtual server, __asadmin'. If it is, the following will happen: SSL Tab, HTTP Tab and FileCache Tab will be hidden. Save Button will be disabled. We don't want user to change the secure-enable setting for this protocol. These 2 additional protocol will also behave as above, "sec-admin-listener' and 'admin-http-redirect'. Right now, it is hardcoded to these 2 names, since user will not be able to change this easily. In 3.2, we may want to revisit if we decide to support the other grizzly config element. Since I need to enable/disable the Save button, I just have the button in the jsf page, instead of including editPageButtons.inc from /common/share. It is pretty straight forward. I have ran the NetworkConfigTest devtest (although very limited now) for both case: enable/disable secure admin, and the 3 tests pass.
        Hide
        sirajg added a comment -

        In common/src/main/java/org/glassfish/admingui/common/util/GuiUtil.java
        instead of "true".equals(secureAdminAttrs.get("enabled"))))
        better to use proper boolean comparision
        Otherwise changes look good.

        Show
        sirajg added a comment - In common/src/main/java/org/glassfish/admingui/common/util/GuiUtil.java instead of "true".equals(secureAdminAttrs.get("enabled")))) better to use proper boolean comparision Otherwise changes look good.
        Hide
        Anissa Lam added a comment -

        thanks Siraj for reviewing. The line is changed to
        if (Boolean.parseBoolean((String)secureAdminAttrs.get("enabled"))).

        Fix checked in.

        Project: glassfish
        Repository: svn
        Revision: 44742
        Author: anilam
        Date: 2011-01-27 17:22:01 UTC
        Link:

        Log Message:
        ------------
        GLASSFISH-15687. Do not allow editing for the auto-created protocol and admin-listener when secure-admin is enabled.
        The change include:

        • when init Session Attribute, test if secure-admin is enabled, and save that in the sessionMap since we will need this often
        • the SSL tab, HTTP tab and File Cache tab will not be displayed accordingly.
        • the Save button will not be enable for those protocols and admin-listener.

        Approve: Anissa
        Reviewer: Siraj.

        Revisions:
        ----------
        44742

        Modified Paths:
        ---------------
        trunk/v3/admingui/common/src/main/java/org/glassfish/admingui/common/util/GuiUtil.java
        trunk/v3/admingui/web/src/main/resources/grizzly/protocolEdit.jsf
        trunk/v3/admingui/web/src/main/resources/grizzly/protocolTabs.inc
        trunk/v3/admingui/web/src/main/resources/grizzly/networkListenerEdit.jsf
        trunk/v3/admingui/web/src/main/resources/grizzly/listenerTabs.inc

        Show
        Anissa Lam added a comment - thanks Siraj for reviewing. The line is changed to if (Boolean.parseBoolean((String)secureAdminAttrs.get("enabled"))). Fix checked in. Project: glassfish Repository: svn Revision: 44742 Author: anilam Date: 2011-01-27 17:22:01 UTC Link: Log Message: ------------ GLASSFISH-15687 . Do not allow editing for the auto-created protocol and admin-listener when secure-admin is enabled. The change include: when init Session Attribute, test if secure-admin is enabled, and save that in the sessionMap since we will need this often the SSL tab, HTTP tab and File Cache tab will not be displayed accordingly. the Save button will not be enable for those protocols and admin-listener. Approve: Anissa Reviewer: Siraj. Revisions: ---------- 44742 Modified Paths: --------------- trunk/v3/admingui/common/src/main/java/org/glassfish/admingui/common/util/GuiUtil.java trunk/v3/admingui/web/src/main/resources/grizzly/protocolEdit.jsf trunk/v3/admingui/web/src/main/resources/grizzly/protocolTabs.inc trunk/v3/admingui/web/src/main/resources/grizzly/networkListenerEdit.jsf trunk/v3/admingui/web/src/main/resources/grizzly/listenerTabs.inc
        Hide
        shaline added a comment -

        Verified in b42 nightly dated 02-09-2011

        Show
        shaline added a comment - Verified in b42 nightly dated 02-09-2011

          People

          • Assignee:
            Anissa Lam
            Reporter:
            shaline
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: