Rajeshwar's Weblog

The soul...

The feeds...

The links...

« Previous month (Jul 2009) | Main | Next month (Sep 2009) »

Friday Aug 21, 2009

Configuring Security for GlassFish REST Interface

GlassFish_REST_Interface_Security GlassFish REST Interface supports basic authentication over secure channel. GlassFish REST inerface is exposed through admin adapter. To enable authentication, you need to define admin-realm user. You can define admin-realm user using any of the following.
Note: By default only anonymous is defined in admin-realm and anonymous user may not require password.

Add user using Admin Console
To add user using Admin Console follow these steps.
1. Start GlassFish and Admin Console. You can start the Admin Console by starting a web browser and specifying the URL http://localhost:4848/asadmin .
Note: We are assuming default admin port, 4848 through out this blog. If you changed the default admin, type the correct port number in place of 4848.
2. Go to Configuration-->Secuirty-->Realms node, then select the admin-realm realm.
3. Click the Manage Users button.
4. Click New to add a new user to the realm and provide the User ID and the New Password.
5. Click OK to add this user to the realm.

Add user using asadmin Client
1. Start GlassFish.
2. Execute the following command to create admin-realm user. You need to provide username and password for this new user.
<GlassFish_Install_Root>/glassfishv3/bin/asadmin create-file-user --groups asadmin --authrealmname admin-realm admin

Once you defined the admin-realm user, you need that user name and its password to access REST interface. Browser will pop-up, Authentication Required, dialog on first REST interface request.

To enable SSL, you need to enable security for admin-listener. You can enable security for admin-listener using any of the following.

Enable Security using Admin Console
1. Start Admin Console.
2. Go to Configuration-->Network Config-->Protocols node, then select the admin-listener node.
3. Select Protocol tab in the right-hand-side window, if its not already selected. Select Enabled value for Security by clicking the check-box.
4. Click Save to enable security for admin-listener.
5. Restart server.
Go to Application Server node.
Select General tab in the right-hand-side window, if its not already selected and click Restart button.

Enable Security using asadmin client
1. Use following asadmin set command to enable security for admin-listener.
asadmin set server-config.network-config.protocols.protocol.admin-listener.security-enabled=true
2. Restart server.
asadmin restart-domain

Enable Security using REST Interface
1. Start web browser and specify the following url
http://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/admin-listener
2. Select true for security-enabled field.
3. Click Update to enable security for admin-listener.
4. Restart server.
Access the following resource url through browser and click the Restart button.
http://localhost:4848/management/domain/restart

Once you enabled security for admin-listener, you should be able to use https for REST interface urls. Of course, you have to accept the certificate presented by browser.

To summarize, we can secure REST interface access through basic authentication over secure channel by defining new admin-realm user and enabling security for admin-listener.

Posted at 02:57PM Aug 21, 2009 by rajeshwar in Sun | Comments[3]

Wednesday Aug 19, 2009

Manage GlassFish using Browser/REST Interface

Manage GlassFish using Browser/REST Interface We enhanced html representations served by GlassFish REST interface. We are now including all the needed meta-data in html representations, thereby enabling write operations (update, create, delete) as well. This enables us to manage and monitor GlassFish using browser.

To use this feature, you can do the following-
1. Download latest GlassFish v3 distribution (glassfish.zip or web.zip) - http://hudson.glassfish.org/job/gf-trunk-build-continuous/
2. Unzip distribution zip and start the server.
3. Manage and monitor GlassFish using your favorite browser. You can access GlassFish REST interface using the following root urls -

GlassFish Configuration:
http://{host}:{port}/management/domain

GlassFish Monitoring:
http://{host}:{port}/monitoring/domain

where {host} is the server host and {port} is the administration port.

Note: You need to turn on module monitoring levels for monitoring data to show up.

Below are some of the screen shots-

Configuration Domain Resource Monitoring Domain Resource

Configuration Stop Resource
Monitoring JVM Resource

Monitoring ClassLoadingSystem Resource

Configuration IiopListener Resource

Posted at 03:26AM Aug 19, 2009 by rajeshwar in Sun | Comments[0]

Monday Aug 03, 2009

REST Interface to Configure GlassFish

REST Interface to Configure GlassFish In my earlier blog I talked about REST interface to monitor and manage GlassFish. We have seen how to monitor GlassFish using REST interface. Now, I would like to demonstrate how we can manage (configure) GlassFish through this interface. The url for management root resource is http://{host}:{port}/management/domain, where {host} is the server host and {port} is the administration port.

Domain Resource Lets access http://localhost:4848/management/domain through browser. Here we are addressing the management root resource, Domain, on my local GlassFish v3 install using its REST url. Domain resource has some attributes and children. By clicking through the child resource links you can access the entire GlassFish configuration model.

So far we have seen how to read GlassFish configuration using browser. Using java client, we can see how to write configuration. Through browser we were using html representations, whereas, with java client we will use JSON and XML representations.

You can download java client by clicking here. Java client uses Jersey client API's and we used this client earlier to demonstrate GlassFish monitoring.

For example, lets create a new iiop listener. In this example, we will use XML and JSON representations interchangeably to demonstrate REST interface support for these formats-

Step 1. GET iiop listeners
rget http://localhost:4848/management/domain/configs/config/server-config/
iiop-service/iiop-listener "application/xml"

<IiopListener>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/orb-listener-1</child-resource>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/SSL</child-resource>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/SSL_MUTUALAUTH</child-resource>
</IiopListener>

We see that three are three iiop-listeners available. How do I know whether I can create a fourth one and if yes, how do I know what input representation to use? Well, we can use OPTIONS method to query this.

Step 2. Get OPTIONS for iiop listeners
roptions http://localhost:4848/management/domain/configs/config/server-config/
iiop-service/iiop-listener "application/json"

{
"Method":"POST",
"Message Parameters":{
    "id":{"Acceptable Values":"","Default Value":"",
"Type":"class java.lang.String","Optional":"false"},
    "enabled":{"Acceptable Values":"","Default Value":"true",
  "Type":"class java.lang.Boolean","Optional":"true"},
    "securityenabled":{"Acceptable Values":"","Default Value":"false",
"Type":"class java.lang.Boolean","Optional":"true"},
    "iiopport":{"Acceptable Values":"","Default Value":"1072",
  "Type":"class java.lang.String","Optional":"true"},
    "listeneraddress":{"Acceptable Values":"","Default Value":"",
  "Type":"class java.lang.String","Optional":"false"},
    "target":{"Acceptable Values":"","Default Value":"",
  "Type":"class java.lang.String","Optional":"true"},
    "property":{"Acceptable Values":"","Default Value":"",
  "Type":"class java.util.Properties","Optional":"true"}
}

"Method":"GET"
}

For the meta-data, id and listeeneraddress are madatory parameters. To create new iiop-listener we must, at least provide these two parameters.

Step 3. Create (POST) new iiop listener
rpost http://localhost:4848/management/domain/configs/config/server-config/
iiop-service/iiop-listener "{\"id\" : \"my-new-listener\", \"listeneraddress\" : \"0.0.0.0\"}" "application/json"

201
"http://localhost:4848/management/domain/configs/config/server-config/
iiop-service/iiop-listener/my-new-listener" created successfully.

Step 4. GET iiop listeners
rget http://localhost:4848/management/domain/configs/config/server-config/
iiop-service/iiop-listener "application/xml"

<IiopListener>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/orb-listener-1</child-resource>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/SSL</child-resource>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/SSL_MUTUALAUTH</child-resource>
<child-resource>http://localhost:4848/management/domain/configs/config/
server-config/iiop-service/iiop-listener/my-new-listener</child-resource>
</IiopListener>

Now we see that the fourth iiop listener, my-new-listener, is available on the server.

Step 5. GET iiop listener, my-new-listener
rget http://localhost:4848/management/domain/configs/config/server-config/
iiop-service/iiop-listener/my-new-listener "application/xml"

<IiopListener id="my-new-listener" port="1072" enabled="true" address="0.0.0.0" security-enabled="false" lazy-init="false">
</IiopListener>

Through this example, above, we saw read, write of GlassFish configuration through REST interface using different representations (HTML, JSON and XML).

Posted at 05:31PM Aug 03, 2009 by rajeshwar in Sun | Comments[1]