dev@glassfish.java.net

Re: anonymous admin login

From: Bill Shannon <bill.shannon_at_sun.com>
Date: Fri, 11 Sep 2009 16:01:40 -0700

I've committed these changes.


Bill Shannon wrote on 09/09/09 14:29:
> We've been struggling with a number of issues related to anonymous
> admin login, such as:
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=8673
>
> It's been unclear how the transition from anonymous login to
> authenticated login should work.
>
> It's also the case that if you send incorrect credentials to a
> domain that's configured for anonymous login, it will accept them,
> which can hide configuration errors.
>
>
> Several of us discussed these issues offline and we decided to simplify
> all of this. Here's what we'll do...
>
> We'll remove the "anonymous" user. Instead, there will be a default
> admin user named "admin" with no password.
>
> If there's exactly one admin user (whatever the name), with no password,
> unauthenticated login will be allowed. The admin GUI will send you to
> the main page without you needing to type anything to the login page.
> For the admin CLI, if you don't specify a --user option, it will send
> requests with no authentication information, which will be accepted in
> this case. If you specify a user name, it must be the correct user
> name with the correct (by default empty) password.
>
> When creating a new domain you can choose the name of the admin user
> (or use the default). You can also specify a --nopassword option and
> you won't be prompted for a password for the admin user (avoiding the
> need to provide a password file for scripts that create such domains).
>
> An important aspect of this change is that creating a domain with
> "--user anonymous" is no longer special; you'll be required to specify
> a password using a password file, or use the --nopassword option.
> There's nothing special about the user name "anonymous", and you
> probably shouldn't be using that user name anymore.
>
> The transition to an authenticated domain is easy - simply assign a
> password to the admin user.
>
>
> I'll be committing this change later this week. Changes to the quicklook
> tests will be included. Likely other tests will need to be updated to
> accommodate these changes, in particular to remove any use of the user name
> "anonymous".
>
> Let me know if you have any questions.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.