dev@glassfish.java.net

anonymous admin login

From: Bill Shannon <bill.shannon_at_sun.com>
Date: Wed, 09 Sep 2009 14:29:58 -0700

We've been struggling with a number of issues related to anonymous
admin login, such as:
https://glassfish.dev.java.net/issues/show_bug.cgi?id=8673

It's been unclear how the transition from anonymous login to
authenticated login should work.

It's also the case that if you send incorrect credentials to a
domain that's configured for anonymous login, it will accept them,
which can hide configuration errors.


Several of us discussed these issues offline and we decided to simplify
all of this. Here's what we'll do...

We'll remove the "anonymous" user. Instead, there will be a default
admin user named "admin" with no password.

If there's exactly one admin user (whatever the name), with no password,
unauthenticated login will be allowed. The admin GUI will send you to
the main page without you needing to type anything to the login page.
For the admin CLI, if you don't specify a --user option, it will send
requests with no authentication information, which will be accepted in
this case. If you specify a user name, it must be the correct user
name with the correct (by default empty) password.

When creating a new domain you can choose the name of the admin user
(or use the default). You can also specify a --nopassword option and
you won't be prompted for a password for the admin user (avoiding the
need to provide a password file for scripts that create such domains).

An important aspect of this change is that creating a domain with
"--user anonymous" is no longer special; you'll be required to specify
a password using a password file, or use the --nopassword option.
There's nothing special about the user name "anonymous", and you
probably shouldn't be using that user name anymore.

The transition to an authenticated domain is easy - simply assign a
password to the admin user.


I'll be committing this change later this week. Changes to the quicklook
tests will be included. Likely other tests will need to be updated to
accommodate these changes, in particular to remove any use of the user name
"anonymous".

Let me know if you have any questions.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.