GlassFish 3.1.2: Secure By Default Changes

Secure by default is the characteristic of software where its default installation results in a secure configuration. Often there is a trade off between ease of use and the degree of default security.

In GlassFish 3.1.2 we have improved the secure by default behavior, and we've tried to do so without impacting the ease of use that GlassFish is known for (at least not impacting it too much). We had two main goals we were trying to satisfy in 3.1.2:

  1. More actively encourage the user to set an admin password at installation time.
  2. Require an admin password whenever remote administration (aka "secure admin") is enabled.

To achieve this you'll notice the following changes when you use 3.1.2:

  1. The installer now prompts for an admin password even in the default installation mode. You are still allowed to choose no password because remote administration is not enabled out of the box.
  2. Any time remote administration is enabled (by running the enable-secure-admin command for example), you will be required to have an admin password set. Basically GlassFish will do what it can to prevent you from enabling remote administration while not having an admin password.
  3. For the Oracle GlassFish Server commercial zip distributions (where there is no installer) you will be prompted for an admin password the first time you start the default domain (DAS). And just like with the installer, you are still allowed to choose no password because remote administration is not enabled out of the box. The open source / community zips continue to behave as they did in 3.1.1 (no prompting).

One issue our QA organization ran into when running their automated tests on the Oracle GlassFish Server commercial zip bundles had to do with their scripts that automatically installed (unzipped) GlassFish and started the default domain. These scripts started failing because the server was prompting for an admin password at startup.

The solution is to use the change-admin-password command to set an admin password before starting the domain. As part of the 3.1.2 changes we enhanced change-admin-password so that it could be run without the domain (DAS) running if you use the "--domain_name" option.  Here is an example of how to set the admin password on a domain before starting the domain the first time (command output removed for brevity):

$ unzip ogs-3.1.2-web.zip
$ cd glassfish3/glassfish
$ touch /tmp/password.txt
$ chmod 600 /tmp/password.txt
$ echo "AS_ADMIN_PASSWORD=" > /tmp/password.txt
$ echo "AS_ADMIN_NEWPASSWORD=newadminpassword" >> /tmp/password.txt
$ bin/asadmin --user admin --passwordfile /tmp/password.txt change-admin-password \
--domain_name domain1
$ rm /tmp/password.txt
$ bin/asadmin start-domain

This does the following:

  • Installs glassfish by unzipping the zip
  • Creates a file (/tmp/password.txt) to supply passwords to the asadmin command. We make sure the file is readable only by the user running asadmin and remove the file when we are done for security purposes. The file has two lines that look like:

  •  Uses the asadmin change-admin-password command to set the admin password on the domain. Now the domain can be started.

For more information about security changes in GlassFish 3.1.2 see Tim Quinn's blog entry, and as always the GlassFish Security Guide is recommended reading.

Join the discussion

Comments ( 4 )
  • guest Friday, March 9, 2012

    oh well. After upgrading to 3.1.2, some of our monitoring broke. We have an additional user --with-- password which regularly uses asadmin to fetch some information about glassfish and feeding it to nagios. Since the update, we get exceptions about this user not having administration access anymore... Any hints?

  • Joe Saturday, March 10, 2012

    You may want to post your question in the GlassFish form (http://www.java.net/forums/glassfish/glassfish). Include the exceptions you are getting and what version you were running before the upgrade. A couple things to check: Have you run "asadmin enable-secure-admin"? If you run "asadmin list-file-users --authrealmname admin-realm" does it list your additional user?

  • gpo Monday, March 12, 2012

    thx for the answer

    secure-admin is enabled and our user is listed in the admin-realm output.

    I'll re-post on the forum, thank you for the hints

  • guest Saturday, August 4, 2012

    thank you from jamal du MAROC :)

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.