GlassFish Wiki : V3.1Security

GlassFish Server Open Source Edition 3.1 - Security

GlassFish Server Open Source Edition 3.1 - Security

Introduction
Scope
Design Document
Milestone Schedule
Task List
Estimates
Quality
Documentation
Workspace
Dev Tests
Email Alias
References

Introduction

The Security Features for V3.1 can be classified under the following high level tasks:

Scope

Feature ID	Priority	Description	Eng Response	Owner(s)	Estimate (Man Days)	Source of Requirement	Status / Comments
SEC-001	P2	Enhanced Security for Master password	Yes	Kumar	5	Vulnerability	80% complete, cleaned up code in Admin and Security Modules that deal with this. Working to fix how Grizzly gets this information securely. There is also a JarSigner usage in AppClient that seems to expect a password from the SecuritySupport SPI which needs to be cleaned up similarly.
SEC-002	P3	Cleanup universal grants in server.policy	Yes	Kumar	5	Some of the universal grants in server.policy are too accomodating and we need to clean it up to make the appserver more secure by default and more suitable for a cloud environment. Actual task is small but requires testing different areas of glassfish with SecurityManager ON after the cleanup	Started. Small dependency on ClassLoader team, we expect them to give right permissions to loaded application classes. Requirement communicated to Jerome.
SEC-004	P3	FailOver and Loadbalancing of Secure IIOP requests	No	Kumar + Nithya	20	CSIv2 never worked correctly in GF V2 with FOLB enabled	Dependency on CORBA Team. Initial discussion indicates the need for security team to do a major restructuring the code so that core CSIv2 Interfaces are moved into the ORB. While the CORBA team would do the moving of code into ORB, the security team needs to fix some things which are considered problematic. More details here
SEC-005	P3	WebLogic Deployment Descriptor Support	Yes	Kumar + Nithya	10	Adoption Strategy?	More details here
SEC-006	P2	Extend Certificate realm to allow custom validation and group assignment based on the recieved client certificate in an SSL Mutual Authentcation.	Yes	-	0	VOC	Completed , need to create a dev test
SEC-007	P3	Finalize the support for PAM Realm in V3.1. This will allow secure apps deployed on V3.1 to authenticate its users against the native Solaris/Linux users list.	Yes	Nithya	3	New Feature, subsumes and extends what we had in terms of SolarisRealm	Done, need to create a dev-test + blog and QA hand-off.
SEC-008	P3	Use of Tubes in GlassFish instead of Pipes for supporting Asychrony.	Yes	Nithya	10	Performance	Tubes have been implemented but not enabled. Risk : Special handling is required for ThreadLocals and GF-Security uses ThreadLocal(s) for a few set of things and we need make sure we are not breaking functionality here. There is an effort do define a new Tubes.next API that would be suitable for a full-featured support of asynchronous server side processing, addressable clients, as well as other requirements from WLS team. This is however not targeted for the GFv3.1 timeframe.
SEC-015	P1	OAM + OWSM support for 3.1.	Yes	Kumar + Nithya	20	Oracle Product Management	we will need to provide a backport for 2.x release. More details on the current proposal for OAM support are here
SEC-016	P1	Security related CLI support for 3.1	Yes	Nithya	20	Feature Parity	Need to verify existing security related CLIs and provide --target support to enable cluster security infrastructure support. Refer to [GlassFish 3.1 features wiki \|^GlassFishv3.1] (Security section) for complete CLI list.
SEC-017	P3	Making DevTests or a subset of it work in Embedded Mode	Yes	Nithya	5	recent reports on Security related failures in Embedded mode
SEC-018	P1	Policy-Translation for EJB's is happening during EJBDeployer.generateArtifacts() and needs to be changed to happen during Deployment.MODULE_LOADED event (on the lines of what happens for Web Modules).	NA	Kumar	5	Correctness	This will allow us to do complete policy translation on the Instances in clustered mode more details on policy-generation for cluster are here
SEC-019	P2	Localization and Message ID's of INFO Logs	Yes	Nithya + Kumar	7	V3.1 requirement	Logging Req Doc
SEC-020	P2	Module imported/exported packages cleanup	Yes	Kumar + Nithya	5	Performance	More details here
SEC-021	P3	ORB restructuring, fixing a long-standing concurrency issue	NA	Kumar	10	CR:6913736	Since the original plan of moving CSIv2 code around between ORB and GF-Security is not being planned for V3.1, the scope of the work has been reduced to issue CR:6913736. This CR only affects Standalone Clients. Reducing the Priority of this task to be the same as the priority of the Bug.

The features SEC-003, SEC-009 to SEC-012, SEC-014 which are P3/P4 in nature will be taken up if the team gets time to work on them (before the SCF). Otherwise these features would be deferred to a later release. SEC-013 is about updating some document errors in Servlet3.0 Security Chapter and Ron.Monzillo is aware of it and will be fixing them.

Design Document

The design documents are currently in draft phase, will be refined in coming days.

Milestone Schedule

Item #	Date/Milestone	Feature-ID	Description	QA/Docs Handover?	Status / Comments
–	MS2 (6/21)	Porting OWSM Interop related Fixes to Metro 1.6			DONE
01.	MS2 (6/21)	SEC-015	GlassFish OAM Integration	Yes	CODE COMPLETE, tested the Authenticator Mode with BASIC, FORM and CERTIFICATE authentication, Need to test Identity-Asserter Mode, which requires installing a Proxy-Server Front-Ending GlassFish and need to install Oracle AccessManager WebGate Plugin at the Proxy-Server and a ModJK connector to GlassFish
02.	MS3 (7/19)	SEC-006	see Scope table above	Yes will do QA/Docs handover with proper Dev Tests
03.	MS3 (7/19)	SEC-007	ditto	Yes
04.	MS3 (7/19)	SEC-018	ditto	Yes
05.	MS3 (7/19)	SEC-001	ditto	Yes
06.	MS3 (7/19)	SEC-002	ditto	Yes
07.	MS3 (7/19)	SEC-016	ditto	Yes
–	MS4	Policy alternatives in Metro
08.	MS4 (8/16)	SEC-017	ditto	NA	No visible effect for QA
09.	MS4 (8/16)	SEC-021	ditto	NA
–	MS5	Unified config in Metro
10.	MS5 (9/13)	SEC-005	ditto	Yes
11.	MS5 (9/13)	SEC-020	ditto	NA
12.	MS6	SEC-019	ditto	NA

Not do:

13.	–	SEC-003	ditto	Yes
14.	–	SEC-008	ditto	Yes
15.	–	SEC-004	ditto	Yes
16.	–	SEC-009	ditto	Yes
17.	–	SEC-012	ditto	Yes
18.	–	SEC-014	ditto	Yes

Task List

Jspwiki style: sortable

sortable

Task	Target Milestone	Start	End Date	Owner(s)	Feature ID	Status / Comments
Dev-Test for SEC-006	MS1	5/20	5/24	Kumar	SEC-006
Checkin PAM Realm and write Dev-Test	MS1	5/10	5/15	Nithya	SEC-007
Fix Policy Translation for EJB's	MS1	5/20	5/24	Kumar	SEC-018
Work on Functional Specs and Design	MS1	5/10	5/24	Kumar	NA
Get upto speed on Oracle OAM and OWSM	MS1	5/10	5/24	Kumar + Nithya	SEC-015	Need to install and experiment with samples from Oracle.
Dev-Tests in Embedded Mode	MS2	5/25	6/1	Nithya	SEC-017
Work on V3.0.1 fixes	NA	5/7	5/20	Kumar + Nithya	some more issues remain to be fixed in 3.0.1
Work on remaning issues with cleaning up of system props for master-password	MS2	5/25	6/1	Kumar	SEC-001
Cleaning up universal-grants in server.policy	MS2	6/2	6/7	Kumar	SEC-002	Depedency on ClassLoader Team making some suggested changes.
Securing Namespace access	MS2	6/2	6/12	Nithya	SEC-003
Re-design and Re-structure code in ejb.security module for enabling ORB to pull in CSIv2 interfaces	MS2	6/8	6/20	Kumar + Nithya	SEC-004	Nithya to join after completing SEC-003
Work on OAM Integration Feature	MS3	6/21	7/19	Kumar + Nithya	SEC-015	interleave 80%-20% with work for SEC-004
Work on IIOP FOLB with CSIv2	MS3	6/21	7/19	Kumar + Nithya	SEC-004	interleave 20%-80% with work for SEC-015
Work on IIOP FOLB with CSIv2	MS4	7/20	8/16	Kumar + Nithya	SEC-004	Also need to develop clustered dev-tests during this time.
Verify security related CLI support for V3.1	MS4	8/2	8/7	Nithya + Kumar	SEC-016	interleave with work for SEC-004
Use of Tubes instead of existing Pipes for WebServices Security in GF V3.1	MS4	7/20	8/1	Nithya	SEC-008	interleave with work for SEC-004
Clustered CSIv2 DevTests	MS3 + MS4			Nithya + Kumar	SEC-004	Need to create clustered tests for IIOP FOLB with CSIv2
Fix P1 bugs	MS4			Nithya + Kumar	N/A	MS4 is the SCF for infrastructure. All P1 bugs need to be addressed
Logging Guidelines compliance	MS5	8/17	8/24	Kumar + Nithya	SEC-019
Module export/import cleanup	MS5	8/25	9/1	Kumar + Nithya	SEC-020
Weblogic DD Support	MS5	8/17	8/27	Kumar + Nithya	SEC-005

Estimates

Quality

Link to Test Plan

Documentation

Link to Documentation

Workspace

module name(s): security/*

Dev Tests

Dev tests

Email Alias

Please contact us at dev@glassfish.java.net
vbkumar.jayanti@sun.com
Nithya.Subramanian@Sun.COM

References

GlassFish v3.1 Plans including Sub Projects