users@glassfish.java.net

Security on the default domain

From: Sam Halliday <sam.halliday_at_gmail.com>
Date: Sat, 27 Feb 2010 06:24:39 -0800 (PST)

Dear all,

I understand that the default out-of-the-box domain is configured to be as
easily accessible as possible - my first reflex is always to harden by
enabling SSL, an admin password and the security manager, which is
thankfully quite easy in glassfish v3!

However, when Glassfish is bundled with packages such as NetBeans, the
default behaviour seems to be carried through. This leads to systems that
are highly vulnerable to attack. Am I correct in thinking that the default
domain would allow anybody (with network access to port 4848 on the serving
machine) to connect to the admin panel, upload an application and have carte
blanche access to all files that the owner-process has access to?

If this is correct, is there perhaps a simple way to either lock the admin
port to "localhost" connections, or to generate a strong password
automatically?

Regards, Sam
-- 
View this message in context: http://old.nabble.com/Security-on-the-default-domain-tp27728307p27728307.html
Sent from the java.net - glassfish users mailing list archive at Nabble.com.