GlassFish - World's first Java EE 7 Application Server


How admin authentication works for V3-TP2

Here is how it works:

Step 1 - By default, no authentication

When the default domain is available as part of unzipping the bundle, the domain has no authentication support. Any user can connect to its http-listeners to manage the domain. The installer can help you create a domain with proper user and password protection. asadmin create-domain too can help you create a domain that authenticates requests.

The user named "anonymous" is available in case you have chosen no user and password during create-domain/installation. By default, the default-domain (one you got from unzipping web.zip or glassfish.zip) contains the same user in admin-keyfile.

As long as the only user available in admin-keyfile is anonymous, there would no authentication enforced.

The moment you create an additional admin user or create a domain with admin user other than anonymous, the authentication is automatically enforced.

Step 2 - Situation after creating an admin user

If you have a domain that does not authenticate admin requests, the way you should start enforcing it is as follows:

  • create a file named say "file" (any name is ok) that contains the following entry:

AS_ADMIN_USERPASSWORD=your-admin-pass

  • asadmin create-file-user --authrealmname admin-realm --groups asadmin --passwordfile file <admin-user-name-say "admin">. This will create an entry for this user in admin-keyfile for that domain.
  • asadmin stop-domain
  • asadmin start-domain

From now on, all the commands for asadmin, all web-requests will start mandating user name and password. To specify the user name
and password:

  • create a file named "file" (say) and have an entry like below there:

AS_ADMIN_PASSWORD=your-admin-pass
(note the change from above, above command needs AS_ADMIN_USERPASSWORD)

  • start the domain.
  • asadmin <command> --user admin --passwordfile file

What is protected

  • asadmin commands (remote commands like deploy – most of the asadmin commands are remote)
  • web requests to *asadmin (e.g. http://host:8080/*asadmin/version)
  • admin GUI
  • admin GUI download (i.e. host:port/admin starts the download of Admin GUI if and only if the user has credentials)

What is NOT protected

JMX Channel. If you have started domain with -Dcom.sun.jmxremote.port, then that will not authenticate requests from say JConsole.

Caution!

It uses HTTP Basic Auth. Of course, we all know it is weak form of security. So, this should not be confused with TP-2 domain/server being "secure".