Consider security implications of deployment to Glassfish via POST

[pdurbin]

http://blogs.steeplesoft.com/posts/2011/deploying-applications-to-glassfish-using-curl.html documents how to deploy a war file to Glassfish via POST (as well as how to undeploy using DELETE).

Does Glassfish allow deployment via POST out of the box?

If so, should we document how to disable deployment via POST in the Dataverse Installation Guide?

Should we make the disabling or enabling of deployment via POST a flag in the installer?

[pameyer]

I'll have to go back to my notes and double-check, but I believe that the glassfish admin server may require a password set and/or "secure remote admin" before allowing admin access from locations other than localhost.

If I'm remembering correctly, the installer uses asadmin (instead of POST) for deployment - but this also needs a double-check.

[pameyer]

Double-checked (after confirmation from donsizemore http://irclog.iq.harvard.edu/dataverse/2017-01-31 that this was probably the case).

• Remote access needs to be enabled before Glassfish will allow access to the admin port; this is disabled by default with Glassfish 4.1 (aka - the one Dataverse recommends).
• Attempting to deploy a WAR via POST out of the box fails as expected from off-host.

Short version - I don't see an additional steps that should be documented to prevent users from running into this. It might be useful to have a URL to "running Glassfish in production for the paranoid" (assuming such a thing exists).

[pameyer]

Additional clarification - "out of the box" meaning that glassfish was installed as recommended in the guide; and after running the dataverse installer.

[pdurbin]

I'm satisfied with @pameyer 's findings of "Attempting to deploy a WAR via POST out of the box fails as expected from off-host." Also, we need to circle back to Glassfish security in #1934 anyway so I'm closing this issue.