SSL is always required by Glassfish 3.1.2.2

[glassfishrobot]

I have recently upgradet from Glassfish 3.0.1 to Glassfish 3.1.2.2 on a client-server application using EJB. As it is part of a closed intranet, SSL is not used for the communication between the client and server.

To upgrade to a new Glassfish version, I just basically copied the setup of the old glassfish-server, page by page. Still, when I tried to do a login against the server, it repeatedly failed due to CORBA NO PERMISSION errors. After a bit of debugging, I found that it was due to the server having SSL required, and when the client tried to connect without SSL, it failed due to mismatch in this respect.

The way it is determined whether the server requires SSL is in the SecurityMechanismSelector class. Here, in the postConstruct method, a (actually 2) EjbIORConfigurationDescriptor are made. This object holds values describing whether SSL is required on the server or not. These values default to SUPPORTED, but if the property "com.sun.CSIV2.ssl.server.required" (orbHelper.getCSIv2Props()).getProperty(GlassFishORBHelper.ORB_SSL_SERVER_REQUIRED) is set to true, it will override a couple of values regarding SSL to REQUIRED. The value of the property is set in the GlassFishORBManager class, and it is based on the iiop-connectors of the server (method initProperties). What it basically does to find this out is to loop through the iiop connectors, and check if they have an SSL-element. If there is one connector that does not have an SSL-element, SSL is not required, if all have it SSL is required.

The problem with this is that per default, all connectors (even the orb-listener-1) have an SSL-element in their domain.xml-representation. I've tried simply removing the SSL-element of the orb-listener-1 from the domain.xml, and then authentication works just fine. But, if I in the admin console enter the SSL-tab of this listener, it will create the SSL-element again. So, it's not a very robust solution to the problem.

Whether or not SSL is required should be specified in a different way, so that one does not need to hack the domain.xml in order to have ORB-communication without SSL, nor need to worry that someone will enter the wrong page in the admin console and mess everything up.

Environment

Glassfish 3.1.2.2

Affected Versions

[current]

[glassfishrobot]

@glassfishrobot Commented
Reported by tobb

[glassfishrobot]

@glassfishrobot Commented
tobb said:
Did I put this in the right project btw?

[glassfishrobot]

@glassfishrobot Commented
heiner said:
I can confirm this bug

[glassfishrobot]

@glassfishrobot Commented
This issue was imported from java.net JIRA GLASSFISH_CORBA-13

[glassfishrobot]

@yusufshmm Commented
Hi,

We are facing this problem in our Production environment Glassfish 3.1.2.2.
Is there a plan to fix this issue or is there an official patch somewhere?

Thanks.

Rgds,
Yusuf

[glassfishrobot]

• Issue Imported From: SSL is always required by Glassfish 3.1.2.2 javaee/glassfish-corba#13
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @russgold