[GLASSFISH-19436] 4.0 needs to restrict direct admin user access to instances so such connections are allowed to do only read operations Created: 13/Dec/12 Updated: 20/Dec/16 Resolved: 09/Jan/13
|Reporter:||Tim Quinn||Assignee:||Tim Quinn|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
In 3.x GlassFish completely denies user admin access directly to instances. The rework of the admin protocol to use ReST combined with the move to separate authentication and authorization has broken this. GlassFish 4.0 needs to prevent admin users from performing update operations by connecting directly to instances.
In an e-mail exchange with the security team I suggested a couple of alternatives, and Jeff prefers (as I do) using the authorization service to control this, rather than (as in 3.x) totally shutting off direct admin access to instances. (There are some cases - such as metrics - where that's useful.)
|Comment by Tim Quinn [ 09/Jan/13 ]|
A collection of check-ins have resolved this over the past couple of weeks.