[GLASSFISH-19436] 4.0 needs to restrict direct admin user access to instances so such connections are allowed to do only read operations Created: 13/Dec/12  Updated: 20/Dec/16  Resolved: 09/Jan/13

Status: Resolved
Project: glassfish
Component/s: admin
Affects Version/s: 4.0_dev
Fix Version/s: 4.0_dev

Type: Bug Priority: Major
Reporter: Tim Quinn Assignee: Tim Quinn
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


In 3.x GlassFish completely denies user admin access directly to instances. The rework of the admin protocol to use ReST combined with the move to separate authentication and authorization has broken this. GlassFish 4.0 needs to prevent admin users from performing update operations by connecting directly to instances.

In an e-mail exchange with the security team I suggested a couple of alternatives, and Jeff prefers (as I do) using the authorization service to control this, rather than (as in 3.x) totally shutting off direct admin access to instances. (There are some cases - such as metrics - where that's useful.)

Comment by Tim Quinn [ 09/Jan/13 ]

A collection of check-ins have resolved this over the past couple of weeks.

Generated at Fri Jan 20 13:22:40 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.