Issue Details (XML | Word | Printable)

Key: GLASSFISH-17471
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Harshad Vilekar
Reporter: james143
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
glassfish

IIOP Listener pages can add SSL section to unencrypted orb listener causing another problem

Created: 25/Oct/11 05:24 AM   Updated: 12/Dec/13 01:39 PM
Component/s: orb
Affects Version/s: 3.1.1_b12
Fix Version/s: None

Time Tracking:
Not Specified

Environment:

RHEL5 x64, RHEL6 x64


Tags: 3_1_2-exclude admin-gui corba iiop orb
Participants: Anissa Lam, boernd, Harshad Vilekar and james143


 Description  « Hide

When using the admin console if you view the SSL page for an unencrypted orb-listener and then save changes to something (even a change at the ORB level) then the following gets added to the XML for the <iiop-listener ...>
<ssl classname="com.sun...GlassfishSSLImpl" cert-nickname=""></ssl>

This does not effect the unencrypted nature of the iiop-listener but does seem to turn on required client authentication for the listener.
The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception.



Anissa Lam added a comment - 25/Oct/11 05:52 AM - edited

console is saving as user instructed. Please include the entire <iiop-listener> element also to confirm that "security-enabled" is not turned on.
Transfer to orb fo evaluation on why this should affect authentication.


james143 added a comment - 25/Oct/11 06:14 AM

"security-enabled" is not turned on, it's not present in : <iiop-listener id="orb-listener-1" port="3700" address="qa-host.test.org">


Harshad Vilekar added a comment - 02/Nov/11 12:40 AM

If "security-enabled" is not turned on for "orb-listener-1", then <ssl> element need not be present for orb-listener-1. Transfer to admin-gui for further analysis.


Anissa Lam added a comment - 04/Nov/11 04:25 AM

User does a 'save' thus the <ssl> is added. GUI is doing the correct thing.
Whether <ssl> element exists or not should not change the authentication behavior.
User also confirmed that 'security-enabled' is not present, which means it has the default value, "false".

Transfer to "orb" as why equired client authentication for the listener when security-enable is false.
And why "The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception."


boernd added a comment - 12/Dec/13 01:35 PM - edited

Hi,

I can actually reproduce this issue (gf 3.1.2.2) without doing any save operations in the DAS GUI.

Scenario:

  • Create a testinstance: ./asadmin create-instance --node localhost-domain1 testing
  • After creation the IIOP configuration looks like this:

<config name="testing-config">
[...]
<iiop-listener id="orb-listener-1" port="${IIOP_LISTENER_PORT}" address="0.0.0.0"></iiop-listener>

- Open the DAS GUI and browse to Configurations/testing-config/ORB/IIOP Listeners/orb-listener-1
- Click on the SSL tab. This click triggers changes to the domain.xml. Afterwards the iiop-listener looks like this

<iiop-listener id="orb-listener-1" port="${IIOP_LISTENER_PORT}" address="0.0.0.0">
<ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname=""></ssl>
</iiop-listener>

This change happens without any feedback in the GUI and after the restart you are confronted with CORBA_NO_PERMISSION exceptions and have no clue whats going on...