glassfish
  1. glassfish
  2. GLASSFISH-17471

IIOP Listener pages can add SSL section to unencrypted orb listener causing another problem

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.1_b12
    • Fix Version/s: None
    • Component/s: orb
    • Labels:
      None
    • Environment:

      RHEL5 x64, RHEL6 x64

      Description

      When using the admin console if you view the SSL page for an unencrypted orb-listener and then save changes to something (even a change at the ORB level) then the following gets added to the XML for the <iiop-listener ...>
      <ssl classname="com.sun...GlassfishSSLImpl" cert-nickname=""></ssl>

      This does not effect the unencrypted nature of the iiop-listener but does seem to turn on required client authentication for the listener.
      The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception.

        Activity

        Hide
        Anissa Lam added a comment - - edited

        console is saving as user instructed. Please include the entire <iiop-listener> element also to confirm that "security-enabled" is not turned on.
        Transfer to orb fo evaluation on why this should affect authentication.

        Show
        Anissa Lam added a comment - - edited console is saving as user instructed. Please include the entire <iiop-listener> element also to confirm that "security-enabled" is not turned on. Transfer to orb fo evaluation on why this should affect authentication.
        Hide
        james143 added a comment -

        "security-enabled" is not turned on, it's not present in : <iiop-listener id="orb-listener-1" port="3700" address="qa-host.test.org">

        Show
        james143 added a comment - "security-enabled" is not turned on, it's not present in : <iiop-listener id="orb-listener-1" port="3700" address="qa-host.test.org">
        Hide
        Harshad Vilekar added a comment -

        If "security-enabled" is not turned on for "orb-listener-1", then <ssl> element need not be present for orb-listener-1. Transfer to admin-gui for further analysis.

        Show
        Harshad Vilekar added a comment - If "security-enabled" is not turned on for "orb-listener-1", then <ssl> element need not be present for orb-listener-1. Transfer to admin-gui for further analysis.
        Hide
        Anissa Lam added a comment -

        User does a 'save' thus the <ssl> is added. GUI is doing the correct thing.
        Whether <ssl> element exists or not should not change the authentication behavior.
        User also confirmed that 'security-enabled' is not present, which means it has the default value, "false".

        Transfer to "orb" as why equired client authentication for the listener when security-enable is false.
        And why "The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception."

        Show
        Anissa Lam added a comment - User does a 'save' thus the <ssl> is added. GUI is doing the correct thing. Whether <ssl> element exists or not should not change the authentication behavior. User also confirmed that 'security-enabled' is not present, which means it has the default value, "false". Transfer to "orb" as why equired client authentication for the listener when security-enable is false. And why "The net effect of this is that unauthenticated connections to the listener get rejected with a CORBA_NO_PERMISSION exception."
        Hide
        boernd added a comment - - edited

        Hi,

        I can actually reproduce this issue (gf 3.1.2.2) without doing any save operations in the DAS GUI.

        Scenario:

        • Create a testinstance: ./asadmin create-instance --node localhost-domain1 testing
        • After creation the IIOP configuration looks like this:

        <config name="testing-config">
        [...]
        <iiop-listener id="orb-listener-1" port="$

        {IIOP_LISTENER_PORT}" address="0.0.0.0"></iiop-listener>

        - Open the DAS GUI and browse to Configurations/testing-config/ORB/IIOP Listeners/orb-listener-1
        - Click on the SSL tab. This click triggers changes to the domain.xml. Afterwards the iiop-listener looks like this

        <iiop-listener id="orb-listener-1" port="${IIOP_LISTENER_PORT}

        " address="0.0.0.0">
        <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname=""></ssl>
        </iiop-listener>

        This change happens without any feedback in the GUI and after the restart you are confronted with CORBA_NO_PERMISSION exceptions and have no clue whats going on...

        Show
        boernd added a comment - - edited Hi, I can actually reproduce this issue (gf 3.1.2.2) without doing any save operations in the DAS GUI. Scenario: — Create a testinstance: ./asadmin create-instance --node localhost-domain1 testing After creation the IIOP configuration looks like this: <config name="testing-config"> [...] <iiop-listener id="orb-listener-1" port="$ {IIOP_LISTENER_PORT}" address="0.0.0.0"></iiop-listener> - Open the DAS GUI and browse to Configurations/testing-config/ORB/IIOP Listeners/orb-listener-1 - Click on the SSL tab. This click triggers changes to the domain.xml. Afterwards the iiop-listener looks like this <iiop-listener id="orb-listener-1" port="${IIOP_LISTENER_PORT} " address="0.0.0.0"> <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname=""></ssl> </iiop-listener> This change happens without any feedback in the GUI and after the restart you are confronted with CORBA_NO_PERMISSION exceptions and have no clue whats going on...

          People

          • Assignee:
            Harshad Vilekar
            Reporter:
            james143
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: