glassfish
  1. glassfish
  2. GLASSFISH-19435

Remote admin traffic allowed even if secure admin is disabled

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0_b66
    • Fix Version/s: 4.0_b70
    • Component/s: admin
    • Labels:
      None

      Description

      Since the conversion to use ReST for all admin traffic, remote admin access is permitted even if secure admin is disabled.

        Activity

        Hide
        Tim Quinn added a comment -

        In the 3.x implementation admin log-in combined authentication and authorization, and admin access was either denied, granted for read-only access (for monitoring access, for example), or granted for full access.

        With authentication and authorization separated more cleanly now, the concept of a "read-only" connection no longer makes sense in the same way, so the related code had been commented out of the RestAdapter.

        Especially because the default admin username and password are widely known (and documented), the server needs to deny remote access unless secure admin has been enabled.

        It looks as if a few changes to the RestAdapter and a few to the GenericAdminAuthenticator have resolved this. Testing and review underway.

        Show
        Tim Quinn added a comment - In the 3.x implementation admin log-in combined authentication and authorization, and admin access was either denied, granted for read-only access (for monitoring access, for example), or granted for full access. With authentication and authorization separated more cleanly now, the concept of a "read-only" connection no longer makes sense in the same way, so the related code had been commented out of the RestAdapter. Especially because the default admin username and password are widely known (and documented), the server needs to deny remote access unless secure admin has been enabled. It looks as if a few changes to the RestAdapter and a few to the GenericAdminAuthenticator have resolved this. Testing and review underway.
        Hide
        Tim Quinn added a comment -

        Several fixes together over the past couple of weeks have fixed this issue.

        Show
        Tim Quinn added a comment - Several fixes together over the past couple of weeks have fixed this issue.

          People

          • Assignee:
            Tim Quinn
            Reporter:
            Tim Quinn
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: