This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 228435 - Ask user for admin password if was not entered yet
Summary: Ask user for admin password if was not entered yet
Status: RESOLVED FIXED
Alias: None
Product: serverplugins
Classification: Unclassified
Component: GlassFish (show other bugs)
Version: 7.4
Hardware: All All
: P1 normal (vote)
Assignee: TomasKraus
URL:
Keywords:
Depends on:
Blocks: 225791
  Show dependency tree
 
Reported: 2013-04-10 10:33 UTC by Jiri Rechtacek
Modified: 2013-06-07 13:57 UTC (History)
3 users (show)

See Also:
Issue Type: ENHANCEMENT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jiri Rechtacek 2013-04-10 10:33:52 UTC 
Outline of accepted solution for 7.4:
1) GlassFish Support in IDE checks if domain1 contains admin-keyfile entry with token admin;RESET;asadmin
2) User will be asked for password when starting domain for the 1st time, regardless started from IDE or manually from console
3) store the password to admin-keyfile i.e. .../domain1/config/admin-keyfile
4) store the password to user's keystore using Keyring API
5) read the password from keystore in following run's of the IDE
6) add Show/Hide buttons in GF Server's Properties to allow users to see the password
Comment 1 TomasKraus 2013-04-10 11:40:54 UTC 
This is not a defect in current functionality but an enhancement request.
Comment 2 TomasKraus 2013-04-10 11:56:17 UTC 
It requires new adadmin/rest commands to be implemented in NetBeans GF interface to set password and enable security mode on GlassFish DAS.
Comment 3 TomasKraus 2013-06-03 13:15:28 UTC 
Unfortunately current GlassFish 4 does not allow us to set password when token admin;RESET;asadmin is set.

1) asadmin reset-admin-password requires current admin password which is verified against admin-keyfile => RESET is not a valid SSHA256 so it always fails.
Also asadmin requires tty to read data from stdin and there is no way to supply password using command line arguments.

2) Hash stored in admin-keyfile is made using internal GlassFish SSHA hashing class. SSHA256 algorithm is not supported by Java SE 6 and 7 so there is no clean way to implement it by writing hash directly into admin-keyfile.

I spent some time trying to implement one of those ways without any success. 

Finally we found hack to directly write SHA-1 hash labeled as {SSHA} into admin-keyfile which was accepted and works with 4.0.

Checked into web-main:
----------------------
changeset:   254086:bbd5840f44f5
summary:     #228435 - Ask user for admin password when RESET token
             is in admin-keyfile using popup window

This change set contains original code with pop up window.

TODO: Modify it to work as Tomcat plugin.
Comment 4 TomasKraus 2013-06-03 15:11:51 UTC 
Checked into web-main:
----------------------
changeset:   254087:6f089bd92ac0
summary:     #228435 - Password is generated as 12 characters random String
             without user interaction and user can see it in properties editor

This is following Tomcatg behavior.

I personally do not agree with this solution because password can be shown in UI and I consider it as security hole.
Comment 5 Petr Jiricka 2013-06-03 15:59:22 UTC 
> I consider it as security hole.

Security is reviewed by the corporate security team, it is not up to us to assess what is secure and what is not. This solution was approved by the security team.
Comment 6 TomasKraus 2013-06-04 00:38:23 UTC 
This solution is putting NetBeans more in the middle between user and GlasFish and we are doing things that are not necessary.

Once we generate random password we are responsible for it's security and we have to guarantee that it's strong enough. This is bad. Such a think should me always made user's responsibility. We can just provide him some tools like password policy support from NetBeasn side.

Another problem is an option to show pasword in plain text in UI. It's just opening possibilities for more people who get some level of acess to usre's terminal to get access to password.

Well, I'm not part of security team but I was working on projects for ministry of internal affairs with some classification levels in the past so I have some real life experience with security on UNIX OS and Java applications.
Comment 7 TomasKraus 2013-06-04 09:28:24 UTC 
Pushed into trunk. I'm closing this bug now to let Jiri verify it with installer.
Comment 8 Quality Engineering 2013-06-05 09:34:21 UTC 
Integrated into 'main-golden', will be available in build *201306050626* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/bbd5840f44f5
User: Tomas Kraus <TomasKraus@netbeans.org>
Log: #228435 - Ask user for admin password when RESET tokem is in admin-keyfile using popup window
Comment 9 Antonin Nebuzelsky 2013-06-07 13:38:03 UTC 
The approved approach is to generate the random password, and it was confirmed this is the solution to be integrated this week. However, I don't see an integration here that would implement this approach. Has it been integrated?
Comment 10 TomasKraus 2013-06-07 13:52:24 UTC 
TomasKraus 2013-06-03 15:11:51 UTC:

Checked into web-main:
----------------------
changeset:   254087:6f089bd92ac0
summary:     #228435 - Password is generated as 12 characters random String
             without user interaction and user can see it in properties editor
Comment 11 TomasKraus 2013-06-07 13:57:11 UTC 
It was pushed into trunk on 4th June. I have no idea why there is no message about integration.