vince kraemer wrote:
> Hmm.
>
> I am glad to hear that Bill is trying to make --secure obsolete....
Not really. Making it obsolete would be a bad idea. What he's trying is
improve user experience in the case where you forgot to put an explicit
--secure even when server is secure. It's a good practice on users' part
to have an explicit --secure. I wouldn't advocate for forgetting about
--secure.
>
> Since the isSecurePort method tells you that the port is secure, I
> figure he won't need to retry... why try to connect when you know that
> it will fail... He may want to go straight to making a Https connection...
Wow. That means you take the overhead every time even when the server is
secure. Note that asadmin is separate from server. It does not know the
server is secure unless you tell it so via --secure. The other route is:
when --secure is false (default for all asadmin) and then when you get
a known exception (that indicates server might be secure), try a
secure connection. Retrying is the right thing to do.
> That is what I am doing in the NB plugin.
You could consider changing that, if you are always doing isSecurePort first.
> You may end up getting the sun.security.validator.ValidatorException
> when you try to use the connection... since the domain does not have a
> nice trusted certificate... The JVM for asadmin may trust the cert from
> domain1... The NB IDE doesn't.
When the domain is created, its (self-signed) cert is already added to
asadmin's trust-store (see my other message to users' alias).
>
> Thanks,
> vbk
>
> kedar wrote:
>> asadmin attempts a plaintext connection and if it gets a SocketException,
>> then it examines to see if the server is actually https and not http.
>> The code that determines this is in:
>> <v3>/common/common-util/.../NetUtils.java, method: isSecurePort().
>>
>> That method tries to do some test that tells us with some confidence
>> if the
>> server is really secure. (JF, you contributed this code, right?) Then
>> asadmin
>> just reports the same to the user (i.e. server appears secure, retry with
>> --secure).
>>
>> Incidentally, Bill is fixing asadmin code such that we are now going to
>> attempt an https connection if http connection fails (a bug filed by you,
>> apparently).
>>
>> In the exception stack trace you get, do you have SocketException or
>> something else? (YMMV, because it's not clear exactly what exception
>> you'll get when you try something like this).
>>
>> vince kraemer wrote:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target
>>> I want to extend the v3 plugin for NetBeans to 'play well' with a
>>> domain that has a secured admin listener and I am being thwarted by
>>> this...
>>>
>>> I figure we must have code that copes with this in the admin cli. A
>>> pointer to the right place to start would be great...
>>>
>>> Thanks,
>>> vbk
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>