glassfish
  1. glassfish
  2. GLASSFISH-17179

Security configuration files are not copied when embedded container is started using EJBContainer#createEJBContainer

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Component/s: embedded
    • Labels:
      None
    • Environment:

      JDK 6u26, Windows 7 Professional 64-bit, glassfish-embedded-all 3.1.1 Maven artifact

      Description

      When the embedded container is started using javax.ejb.embeddable.EJBContainer#createEJBContainer, security files like the keystores (e.g. cacerts.jks) are not being copied. This appears to be a regression from 3.1, as these files are copied correctly by the 3.1 version of the glassfish-embedded-all artifact.

      The problem seems to be caused by revision 47307, which introduced the use of com.sun.enterprise.security.EmbeddedSecurity when determining whether to copy the files. The root cause of the problem is that the org.glassfish.server.ServerEnvironmentImpl that is constructed and checked by com.sun.enterprise.security.embedded.EmbeddedSecurityUtil has a RuntimeType of "DAS" rather than "EMBEDDED."

      In my particular case, there is an additional CA certificate that needs to be added to the CA certificate keystore. Attempting to override the javax.net.ssl.trustStore property from outside the container (whether setting it as a JVM property or passing it as an entry in the Properties object passed to createEJBContainer) doesn't work because the property is being set programmatically from within the embedded container runtime.

      I'm starting the container with the following properties set:

      org.glassfish.ejb.embedded.glassfish.installation.root=/path/to/install/root
      org.glassfish.ejb.embedded.glassfish.instance.root=/path/to/install/root/domains/domain1
      org.glassfish.ejb.embedded.glassfish.configuration.file=/path/to/install/root/domains/domain1/config/domain.xml
      org.glassfish.ejb.embedded.glassfish.keep-temporary-files=true

      My modified version of cacerts.jks lives in /path/to/install/root/domains/domain1/config/. However, the version of cacerts.jks actually being used (i.e. in the temporary folder) is the version included with the glassfish-embedded-all artifact.

        Activity

        atomicknight created issue -
        Hide
        Cheng Fang added a comment -

        assign to security team to check why EmbeddedSecurityUtil has a RuntimeType of "DAS" rather than "EMBEDDED."

        Show
        Cheng Fang added a comment - assign to security team to check why EmbeddedSecurityUtil has a RuntimeType of "DAS" rather than "EMBEDDED."
        Cheng Fang made changes -
        Field Original Value New Value
        Assignee marina vatkina [ mvatkina ] kumarjayanti [ kumarjayanti ]
        Component/s security [ 10618 ]
        Component/s ejb_container [ 10596 ]
        Component/s embedded [ 10643 ]
        Hide
        Nithya Ramakrishnan added a comment -

        This seems to happen because type argument is not being passed as an argument when the Embedded EJB container is created. In ServerEnvironmentImpl, the serverType seems to default to DAS, since the typeString argument is null. Transferring this issue to the Embedded team for fixing this.

        Show
        Nithya Ramakrishnan added a comment - This seems to happen because type argument is not being passed as an argument when the Embedded EJB container is created. In ServerEnvironmentImpl, the serverType seems to default to DAS, since the typeString argument is null. Transferring this issue to the Embedded team for fixing this.
        Nithya Ramakrishnan made changes -
        Assignee kumarjayanti [ kumarjayanti ] Bhavanishankar [ bhavanishankar ]
        Component/s embedded [ 10643 ]
        Component/s security [ 10618 ]
        Hide
        Bhavanishankar added a comment -

        It is the correct behaviour of embedded GlassFish to return the serverType as DAS. Internal code should never depend on whether the server is running in EMBEDDED mode or standalone mode.

        Show
        Bhavanishankar added a comment - It is the correct behaviour of embedded GlassFish to return the serverType as DAS. Internal code should never depend on whether the server is running in EMBEDDED mode or standalone mode.
        Bhavanishankar made changes -
        Tags embedded ejb 3_1_2_exclude ejb embedded
        Bhavanishankar made changes -
        Tags 3_1_2_exclude ejb embedded ejb embedded
        Bhavanishankar made changes -
        Tags ejb embedded 3_1_2-exclude ejb embedded
        Hide
        Bhavanishankar added a comment -

        assigning.

        Show
        Bhavanishankar added a comment - assigning.
        Bhavanishankar made changes -
        Assignee Bhavanishankar [ bhavanishankar ] sakshi.jain [ sakshi.jain ]

          People

          • Assignee:
            sakshi.jain
            Reporter:
            atomicknight
          • Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated: