-
Notifications
You must be signed in to change notification settings - Fork 490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider security implications of deployment to Glassfish via POST #3607
Comments
I'll have to go back to my notes and double-check, but I believe that the glassfish admin server may require a password set and/or "secure remote admin" before allowing admin access from locations other than localhost. If I'm remembering correctly, the installer uses asadmin (instead of POST) for deployment - but this also needs a double-check. |
Double-checked (after confirmation from donsizemore http://irclog.iq.harvard.edu/dataverse/2017-01-31 that this was probably the case).
Short version - I don't see an additional steps that should be documented to prevent users from running into this. It might be useful to have a URL to "running Glassfish in production for the paranoid" (assuming such a thing exists). |
Additional clarification - "out of the box" meaning that glassfish was installed as recommended in the guide; and after running the dataverse installer. |
http://blogs.steeplesoft.com/posts/2011/deploying-applications-to-glassfish-using-curl.html documents how to deploy a war file to Glassfish via POST (as well as how to undeploy using DELETE).
Does Glassfish allow deployment via POST out of the box?
If so, should we document how to disable deployment via POST in the Dataverse Installation Guide?
Should we make the disabling or enabling of deployment via POST a flag in the installer?
The text was updated successfully, but these errors were encountered: