This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Outline of accepted solution for 7.4: 1) GlassFish Support in IDE checks if domain1 contains admin-keyfile entry with token admin;RESET;asadmin 2) User will be asked for password when starting domain for the 1st time, regardless started from IDE or manually from console 3) store the password to admin-keyfile i.e. .../domain1/config/admin-keyfile 4) store the password to user's keystore using Keyring API 5) read the password from keystore in following run's of the IDE 6) add Show/Hide buttons in GF Server's Properties to allow users to see the password
This is not a defect in current functionality but an enhancement request.
It requires new adadmin/rest commands to be implemented in NetBeans GF interface to set password and enable security mode on GlassFish DAS.
Unfortunately current GlassFish 4 does not allow us to set password when token admin;RESET;asadmin is set. 1) asadmin reset-admin-password requires current admin password which is verified against admin-keyfile => RESET is not a valid SSHA256 so it always fails. Also asadmin requires tty to read data from stdin and there is no way to supply password using command line arguments. 2) Hash stored in admin-keyfile is made using internal GlassFish SSHA hashing class. SSHA256 algorithm is not supported by Java SE 6 and 7 so there is no clean way to implement it by writing hash directly into admin-keyfile. I spent some time trying to implement one of those ways without any success. Finally we found hack to directly write SHA-1 hash labeled as {SSHA} into admin-keyfile which was accepted and works with 4.0. Checked into web-main: ---------------------- changeset: 254086:bbd5840f44f5 summary: #228435 - Ask user for admin password when RESET token is in admin-keyfile using popup window This change set contains original code with pop up window. TODO: Modify it to work as Tomcat plugin.
Checked into web-main: ---------------------- changeset: 254087:6f089bd92ac0 summary: #228435 - Password is generated as 12 characters random String without user interaction and user can see it in properties editor This is following Tomcatg behavior. I personally do not agree with this solution because password can be shown in UI and I consider it as security hole.
> I consider it as security hole. Security is reviewed by the corporate security team, it is not up to us to assess what is secure and what is not. This solution was approved by the security team.
This solution is putting NetBeans more in the middle between user and GlasFish and we are doing things that are not necessary. Once we generate random password we are responsible for it's security and we have to guarantee that it's strong enough. This is bad. Such a think should me always made user's responsibility. We can just provide him some tools like password policy support from NetBeasn side. Another problem is an option to show pasword in plain text in UI. It's just opening possibilities for more people who get some level of acess to usre's terminal to get access to password. Well, I'm not part of security team but I was working on projects for ministry of internal affairs with some classification levels in the past so I have some real life experience with security on UNIX OS and Java applications.
Pushed into trunk. I'm closing this bug now to let Jiri verify it with installer.
Integrated into 'main-golden', will be available in build *201306050626* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main-golden/rev/bbd5840f44f5 User: Tomas Kraus <TomasKraus@netbeans.org> Log: #228435 - Ask user for admin password when RESET tokem is in admin-keyfile using popup window
The approved approach is to generate the random password, and it was confirmed this is the solution to be integrated this week. However, I don't see an integration here that would implement this approach. Has it been integrated?
TomasKraus 2013-06-03 15:11:51 UTC: Checked into web-main: ---------------------- changeset: 254087:6f089bd92ac0 summary: #228435 - Password is generated as 12 characters random String without user interaction and user can see it in properties editor
It was pushed into trunk on 4th June. I have no idea why there is no message about integration.