views:

2603

answers:

2

I've been mucking around with GlassFish v3 prelude this evening. A couple of things I'm not sure about is how the security works.

It installed like a dream, so the first thing I did was remove the anonymous account and setup an "admin" account with "mysecretpassword" and specified the asadmin group for this user in the admin realm.

At that point the stop-domain command stopped working from the console (and/or start menu shortcut). Fair enough, but the stop-domain command accepts a --user argument but then wants a --passwordfile path supplied which I didn't know where it was.

After some googling I chanced upon asaadmin login -p 4848 which created a password file in my documents and then stop-domain started working!

So the questions:

1) Is it possible to get stop-domain to prompt for a user/password?

2) This whole business of having a file with a (hashed) password doesn't sound great to me - why did they do it this way, and is it transferable, can it be disabled and if it can, how then do I stop the domain?

3) How do security realms work - as in what are they, and how do they differ?

4) What's the best resource (book, website, whatever) on GF v3?

+5  A: 

Glassfish relies upon a "master-password" file which is used to control access to the core admin commands (notably asadmin).

This master password is used to encrypt assorted bits within the GF system and configuration. By default, it's store in the file $domain-dir/master-password.

If that file exists, then asadmin will not prompt for a password to make changes. If it does not exist, then it will prompt you. If you ever change the password, the system will automatically recreate this file.

Note, this isn't a role based thing, it's simply a password to the entire system.

So, that's the core password.

Next is the actual admin password.

When you create a domain, it asks you for an admin name and password. This information is stored in ~/.asadminpass file.

So, in the simple case of a local install, you can use asadmin without passwords or user information.

If you delete that file, then you will be prompted for a user and password.

The admin passwords are managed in the "admin-realm" within the app server.

Realms are a JEE construct used to represent authentication and authorization stores.

Realms provide user name, password, and role information.

By default GF uses file realms for its security information. Out of the box you have a "admin-realm" which is for users of the admin console. There is also an empty "file" realm for use by applications. Out of the box, Glassfish also supports and LDAP realm and a JDBC realm where credentials are stored in an LDAP and RDBMS respectively.

The Glassfish website and forums are currently the best resources available for this. It's a bit of a muddy time as v3 is still being worked on (v3 Prelude is just that, a prelude to the final release later this year), but there is still a lot of overlap with v2.

Will Hartung
A: 

I have a domain installed in production, when i start the domain the system asks for a password, the domain is falling alone, i would like to know if i can set a password for stopping the domain to avoid security falilures.

Thank you.

Raul