Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAYARA-3658 ejb-invoker endpoint security support #4232

Merged
merged 15 commits into from Oct 24, 2019

Conversation

@jGauravGupta
Copy link
Contributor

jGauravGupta commented Sep 20, 2019

Deprecated asadmin command:
Deprecating the following asadmin command as get/set-xxx-configuration pattern is used for service configuration and also few parameter need to be added which makes sense for set-xxx-configuration pattern.
disable-ejb-invoker
enable-ejb-invoker

New asadmin command:
get-ejb-invoker-configuration
set-ejb-invoker-configuration

Server-side Usage:

  • To enable ejb-invoker endpoint:

    asadmin> set-ejb-invoker-configuration --enabled=true

  • To enable security on ejb-invoker endpoint:

    asadmin> set-ejb-invoker-configuration --securityenabled=true

    When securityenabled is set to true, a username and password are required to access ejb-invoker endpoint. By default, the username / password is set to invoker with the role invoker and defined in the configured realm.

  • To change the context root of ejb-invoker service:

    asadmin> set-ejb-invoker-configuration --endpoint=cutom-ejb-invoker

  • To assign the roles:

    asadmin> set-ejb-invoker-configuration --roles=groupA,groupB,groupC

    By default, invoker role is assigned.

  • To change the realm name:

    asadmin> set-ejb-invoker-configuration --realmName=MY_DB

  • To change the auth type:

    asadmin> set-ejb-invoker-configuration --authType=BASIC

  • To set the JASPIC SAM via registered security provider id:

    asadmin> set-ejb-invoker-configuration --authModule=GFConsoleAuthModule

  • To register and set the JASPIC SAM via class name:

    asadmin> set-ejb-invoker-configuration --authModuleClass=org.glassfish.admingui.common.security.AdminConsoleAuthModule

  • To use the HTTPAuthenticationMechanism and IdentityStore place the impl artifact in lib dir of endpoints/ejb-invoker.

Client-side Usage:
Add the following properties to javax.​naming.​InitialContext to pass the authentication credentials :

  • fish.payara.provider.authType default value BASIC
  • fish.payara.provider.principal to pass the username
  • fish.payara.provider.credentials to pass the password
  • fish.payara.requestFilter to register ClientRequestFilter
  • fish.payara.responseFilter to register ClientResponseFilter

Testcases:
Testcase added under payara-samples module.

@jGauravGupta jGauravGupta force-pushed the jGauravGupta:PAYARA-3658 branch 2 times, most recently from 8a380cb to d677f08 Sep 20, 2019
@jGauravGupta jGauravGupta force-pushed the jGauravGupta:PAYARA-3658 branch from d677f08 to 40d140c Sep 20, 2019
@jGauravGupta jGauravGupta requested a review from Pandrex247 Sep 20, 2019
@jGauravGupta jGauravGupta force-pushed the jGauravGupta:PAYARA-3658 branch from 462d2ed to aa2204b Oct 1, 2019
@jGauravGupta jGauravGupta changed the title PAYARA-3658 ejb-invoker endpoint BASIC_AUTH security support PAYARA-3658 ejb-invoker endpoint security support Oct 1, 2019
Copy link
Contributor

pdudits left a comment

Copyrights need updating, and the unnecessary CDI extension reference should be removed.

private static final String ROLE = "invoker";

@BeforeClass
public static void enableSecurity() {

This comment has been minimized.

Copy link
@pdudits

pdudits Oct 4, 2019

Contributor

That's nice! I need to think how can I make similar initialization in main ejb-invoker test suite...

@jGauravGupta jGauravGupta requested a review from pdudits Oct 4, 2019
Copy link
Member

Pandrex247 left a comment

Configuration changes don't seem to be dynamic.
For example, it doesn't seem to be possible to disable security without redeploying the application - and no "unprocessed changes" event is thrown so the server doesn't indicate that a restart it required.

Would be good to either have it be dynamic or tell you that a restart is required :)

@jGauravGupta

This comment has been minimized.

Copy link
Contributor Author

jGauravGupta commented Oct 10, 2019

Security configuration added to WebBundle Descriptor hence added the message "Restart server or re-enable the ejb-invoker service for the change to take effect".

Copy link
Member

Pandrex247 left a comment

Extra checks needed :)

Copy link
Member

Pandrex247 left a comment

Still too broad.

@jGauravGupta jGauravGupta requested a review from Pandrex247 Oct 22, 2019
Copy link
Member

Pandrex247 left a comment

Now I'm not getting the restart required at all!

@jGauravGupta

This comment has been minimized.

Copy link
Contributor Author

jGauravGupta commented Oct 22, 2019

Hi @Pandrex247,

I cross-verified, UnprocessedChangeEvent fired and message added in the log but if the enabled property is set to false It will be ignored.

[2019-10-22T23:40:45.460+0530] [Payara 5.194-SNAPSHOT] [WARNING] [] [] [tid: _ThreadID=269 _ThreadName=pool-82-thread-1] [timeMillis: 1571767845460] [levelValue: 900] [[
  Unprocessed event : UnprocessedChangeEvent{PropertyName=security-enabled, OldValue = true, NewValue = false, Source = GlassFishConfigBean.fish.payara.ejb.http.admin.EjbInvokerConfiguration}, reason = EJB Invoker configuration changed: security-enabled was changed from true to false, when = 1571767845459]]
```
@jGauravGupta

This comment has been minimized.

Copy link
Contributor Author

jGauravGupta commented Oct 23, 2019

jenkins test please

@jGauravGupta jGauravGupta merged commit 1845f18 into payara:master Oct 24, 2019
7 of 9 checks passed
7 of 9 checks passed
security/snyk - appserver/installer/pom.xml (payara-ci) Test in progress
security/snyk - appserver/registration/pom.xml (payara-ci) Test in progress
Payara Quick Build and Test Quick build and test passed!
Details
security/snyk - appserver/deployment/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/extras/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/orb/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/transaction/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/packager/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/test-utils/pom.xml (payara-ci) No new issues
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.