users@glassfish.java.net

Re: GlassFish 3.1.1 security

From: Nithya Subramanian <nithya.subramanian_at_oracle.com>
Date: Fri, 07 Oct 2011 19:52:55 +0530

Hi,

The 3.1.2 promoted builds can be obtained from
http://dlc.sun.com.edgesuite.net/glassfish/3.1.2/promoted/.
A build from Sep 2011 would contain the fix.

Also, to build your own source to fix the issue in 3.1.1 branch, you
could try to download the 3.1.1 source code
(http://wikis.sun.com/display/GlassFish/3.1.1+Branch+Info) and build it
after making the fix in RealmAdapter.
(http://wikis.sun.com/display/GlassFish/DevelopmentInstructions).

Please let us know if you would need anything else.

Thanks
Nithya

On Thursday 06 October 2011 06:50 PM, forums_at_java.net wrote:
> Thanks for the reply!
>
> After more hunting, I can see the bug at
> https://fisheye4.atlassian.com/browse/glassfish-svn/tags/3.1.1-b06/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java?hb=true.
>
>
> I assume the "split" produces an array of length 1 if default ports
> are used
> in the request (no ":8080" present), and so the "hostPort[1] == null"
> code
> throws an exception. I could patch it myself if I had buildable source.
> Is there a HOWTO guide on how to download glassfish source and build it?
> You mention 3.1.2 has the fix, is that available as a beta, or are you
> saying
> I need to be a glassfish customer to obtain that?
>
> Whether I build my own source, or upgrade to 3.1.2 binaries, is there
> a way
> for me to install it as an "upgrade" so I do not have to do a fresh
> install
> and configure all my settings again (that's the main reason I do not
> want to
> drop back to 3.1.0, or maybe there is a way I can simply do a
> "downgrade" of
> an existing install to 3.1.0 until 3.1.2 is out).
>
> The other thing I started wondering about is if I could remove the
> "<transport-guarantee>CONFIDENTIAL</transport-guarantee>" statements from
> web.xml and add some sort of filter that caused all requests that were
> not
> using SSL to go to https:\\<server>:443\<original request>, perhaps as
> some
> sort of redirect? Basically manually in my own code causing the redirect
> from :80 to :443 and avoiding the built in glassfish automatic method.
>
> Thanks,
> Mark
>
>
>
>
> --
>
> [Message sent by forum member 'markkr2']
>
> View Post: http://forums.java.net/node/834152
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.