glassfish
  1. glassfish
  2. GLASSFISH-16545

Allow secure admin to use username and password alias for inter-server authentication and authorization

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0
    • Fix Version/s: 3.1.1_b10, 4.0
    • Component/s: admin
    • Labels:
      None

      Description

      Customer requests have asked for secure admin to permit username/password authentication and authorization for admin traffic among servers, not just exclusively SSL cert-based authentication and authorization.

        Activity

        Hide
        Tim Quinn added a comment -

        Adding info for 3.1.1 consideration:

        Why fix this issue in 3.1.1?
        Improve shortcomings in 3.1 implementation (as requested by customer)

        Which is the targeted build of 3.1.1 for this fix?
        b10

        Do regression tests exist for this issue?
        planned

        Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
        secure admin related tests (enable secure admin, restart, deploy and access, etc.)

        Show
        Tim Quinn added a comment - Adding info for 3.1.1 consideration: Why fix this issue in 3.1.1? Improve shortcomings in 3.1 implementation (as requested by customer) Which is the targeted build of 3.1.1 for this fix? b10 Do regression tests exist for this issue? planned Which tests should QA (re)run to verify the fix did not destabilize GlassFish? secure admin related tests (enable secure admin, restart, deploy and access, etc.)
        Hide
        scatari added a comment -

        Approved for 3.1.1.

        Regards to regressions tests, are these new tests? What type of tests are they, Unit/QL?

        Show
        scatari added a comment - Approved for 3.1.1. Regards to regressions tests, are these new tests? What type of tests are they, Unit/QL?
        Hide
        Tim Quinn added a comment -

        Fix checked in for 3.1.1:

        Project: glassfish
        Repository: svn
        Revision: 47742
        Author: tjquinn
        Date: 2011-06-28 15:23:07 UTC
        Link:

        Log Message:
        ------------
        Check-ins for 16437, 16438, 16545

        These changes enhance secure admin so that users can

        1. enable multiple certificates as authorized for admin operations
        2. have GlassFish processes authenticate to each other using an admin username and password instead of certificates
        3. stronger checking that admin messages from other GlassFish processes are from servers in the same domain.

        Approved: Sathyan
        Tests: QL, deployment single-instance and cluster devtests

        Revisions:
        ----------
        47742

        Modified Paths:
        ---------------
        branches/3.1.1/admin/util/src/main/java/com/sun/enterprise/admin/remote/ServerRemoteAdminCommand.java
        branches/3.1.1/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java
        branches/3.1.1/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java
        branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/EnableSecureAdminCommand.java
        branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminPrincipal.java
        branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/DisableSecureAdminCommand.java
        branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/LocalStrings.properties
        branches/3.1.1/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties
        branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminCommand.java
        branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
        branches/3.1.1/admin/util/src/main/java/com/sun/enterprise/admin/remote/RemoteAdminCommand.java

        Added Paths:
        ------------
        branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.java
        branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminInternalUser.java
        branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java

        Show
        Tim Quinn added a comment - Fix checked in for 3.1.1: Project: glassfish Repository: svn Revision: 47742 Author: tjquinn Date: 2011-06-28 15:23:07 UTC Link: Log Message: ------------ Check-ins for 16437, 16438, 16545 These changes enhance secure admin so that users can 1. enable multiple certificates as authorized for admin operations 2. have GlassFish processes authenticate to each other using an admin username and password instead of certificates 3. stronger checking that admin messages from other GlassFish processes are from servers in the same domain. Approved: Sathyan Tests: QL, deployment single-instance and cluster devtests Revisions: ---------- 47742 Modified Paths: --------------- branches/3.1.1/admin/util/src/main/java/com/sun/enterprise/admin/remote/ServerRemoteAdminCommand.java branches/3.1.1/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java branches/3.1.1/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/EnableSecureAdminCommand.java branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminPrincipal.java branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/DisableSecureAdminCommand.java branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/LocalStrings.properties branches/3.1.1/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminCommand.java branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java branches/3.1.1/admin/util/src/main/java/com/sun/enterprise/admin/remote/RemoteAdminCommand.java Added Paths: ------------ branches/3.1.1/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.java branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminInternalUser.java branches/3.1.1/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java
        Hide
        Tim Quinn added a comment -

        Fix checked into the trunk:

        Project: glassfish
        Repository: svn
        Revision: 48036
        Author: tjquinn
        Date: 2011-07-14 21:37:25 UTC
        Link:

        Log Message:
        ------------
        Check-ins for 16437, 16438, 16545

        These changes enhance secure admin so that users can

        1. enable multiple certificates as authorized for admin operations
        2. have GlassFish processes authenticate to each other using an admin username and password instead of certificates
        3. stronger checking that admin messages from other GlassFish processes are from servers in the same domain.

        Approved for 3.1.1: Sathyan
        Tests: QL, deployment single-instance and cluster devtests

        Revisions:
        ----------
        48036

        Modified Paths:
        ---------------
        trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties
        trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java
        trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/DisableSecureAdminCommand.java
        trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/EnableSecureAdminCommand.java
        trunk/v3/security/core/src/main/resources/com/sun/enterprise/security/admin/cli/LocalStrings.properties
        trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminCommand.java
        trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java
        trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/ServerRemoteAdminCommand.java
        trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/LocalStrings.properties
        trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
        trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/RemoteAdminCommand.java
        trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminPrincipal.java

        Added Paths:
        ------------
        trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.java
        trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java
        trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminInternalUser.java

        Show
        Tim Quinn added a comment - Fix checked into the trunk: Project: glassfish Repository: svn Revision: 48036 Author: tjquinn Date: 2011-07-14 21:37:25 UTC Link: Log Message: ------------ Check-ins for 16437, 16438, 16545 These changes enhance secure admin so that users can 1. enable multiple certificates as authorized for admin operations 2. have GlassFish processes authenticate to each other using an admin username and password instead of certificates 3. stronger checking that admin messages from other GlassFish processes are from servers in the same domain. Approved for 3.1.1: Sathyan Tests: QL, deployment single-instance and cluster devtests Revisions: ---------- 48036 Modified Paths: --------------- trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/LocalStrings.properties trunk/v3/common/container-common/src/main/java/com/sun/enterprise/container/common/GenericAdminAuthenticator.java trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/DisableSecureAdminCommand.java trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/EnableSecureAdminCommand.java trunk/v3/security/core/src/main/resources/com/sun/enterprise/security/admin/cli/LocalStrings.properties trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminCommand.java trunk/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/ServerRemoteAdminCommand.java trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/LocalStrings.properties trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java trunk/v3/admin/util/src/main/java/com/sun/enterprise/admin/remote/RemoteAdminCommand.java trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminPrincipal.java Added Paths: ------------ trunk/v3/security/core/src/main/java/com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.java trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java trunk/v3/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminInternalUser.java

          People

          • Assignee:
            Tim Quinn
            Reporter:
            Tim Quinn
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: