Issue Details (XML | Word | Printable)

Key: GLASSFISH-17471
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Harshad Vilekar
Reporter: james143
Votes: 0
Watchers: 2

If you were logged in you would be able to see more operations.

IIOP Listener pages can add SSL section to unencrypted orb listener causing another problem

Created: 25/Oct/11 05:24 AM   Updated: 12/Dec/13 01:39 PM
Component/s: orb
Affects Version/s: 3.1.1_b12
Fix Version/s: None

Time Tracking:
Not Specified


RHEL5 x64, RHEL6 x64

Tags: 3_1_2-exclude admin-gui corba iiop orb
Participants: Anissa Lam, boernd, Harshad Vilekar and james143

 Description  « Hide

When using the admin console if you view the SSL page for an unencrypted orb-listener and then save changes to something (even a change at the ORB level) then the following gets added to the XML for the <iiop-listener ...>
<ssl classname="com.sun...GlassfishSSLImpl" cert-nickname=""></ssl>

This does not effect the unencrypted nature of the iiop-listener but does seem to turn on required client authentication for the listener.
The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception.

Anissa Lam added a comment - 25/Oct/11 05:52 AM - edited

console is saving as user instructed. Please include the entire <iiop-listener> element also to confirm that "security-enabled" is not turned on.
Transfer to orb fo evaluation on why this should affect authentication.

james143 added a comment - 25/Oct/11 06:14 AM

"security-enabled" is not turned on, it's not present in : <iiop-listener id="orb-listener-1" port="3700" address="">

Harshad Vilekar added a comment - 02/Nov/11 12:40 AM

If "security-enabled" is not turned on for "orb-listener-1", then <ssl> element need not be present for orb-listener-1. Transfer to admin-gui for further analysis.

Anissa Lam added a comment - 04/Nov/11 04:25 AM

User does a 'save' thus the <ssl> is added. GUI is doing the correct thing.
Whether <ssl> element exists or not should not change the authentication behavior.
User also confirmed that 'security-enabled' is not present, which means it has the default value, "false".

Transfer to "orb" as why equired client authentication for the listener when security-enable is false.
And why "The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception."

boernd added a comment - 12/Dec/13 01:35 PM - edited


I can actually reproduce this issue (gf without doing any save operations in the DAS GUI.


  • Create a testinstance: ./asadmin create-instance --node localhost-domain1 testing
  • After creation the IIOP configuration looks like this:

<config name="testing-config">
<iiop-listener id="orb-listener-1" port="${IIOP_LISTENER_PORT}" address=""></iiop-listener>

- Open the DAS GUI and browse to Configurations/testing-config/ORB/IIOP Listeners/orb-listener-1
- Click on the SSL tab. This click triggers changes to the domain.xml. Afterwards the iiop-listener looks like this

<iiop-listener id="orb-listener-1" port="${IIOP_LISTENER_PORT}" address="">
<ssl classname="" cert-nickname=""></ssl>

This change happens without any feedback in the GUI and after the restart you are confronted with CORBA_NO_PERMISSION exceptions and have no clue whats going on...