Archive for the 'glassfish' Category

Glassfish security vulnerability

Published on January 12, 2008 in glassfish. 8 Comments Tags: , , , , , .

When you deploy IT components like operating systems, application servers, web servers in a Web 2.0 hosting environment, it’s very important to have a hardened configuration before you have your public launch and before your web apps are reachable with HTTP Port 80 and 443 by the internet. In environments without firewalls, e.g. on cheap “root servers”, you’re often online and connected to all internet users hackers after the initial setup of your Web Stack.

IT-Administrators and Web 2.0 Developers are always working under pressure, and there’s lack of time to find all the security vulnerabilies in the used software products, Open Source as well as commercial products. In times, where most of the attacks against Web 2.0 apps are within the HTTP / HTTPS Protocol e.g. SQL-Injection, Cross Site Scripting and so on, its important, that the installation of Web Stack components are secure by default.

An example: A basic rule for a secure web configuration since over a decade is the have directory listings switched off in web servers and app servers.

What about glassfish 2.0 and security, are there any concerns?

Back to the directory listing example.

The Glassfish default is to have directory listings on and you have to modify the

glassfish/domains/domain1/config/default-web.xml

to have a secure glassfish configuration, as also mentioned by hobione.

 

Another thing are the default HTTP headers from glassfish. They’re too noisy by default, they’re tellling everyone in the web, which version of glassfish you’re using:

Server: Sun Java System Application Server 9.1

X-Powered-By:Servlet/2.5

So my suggestion for the glassfish project members is to modify

these defaults to a secure ones, this means

  • Directory Listing “off”
  • HTTP Header at least without any software version information

Project Webstack on YouTube

Published on October 22, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , , , , , .

See and hear more on project Webstack, PHP, Glassfish V2 on Solaris on YouTube.

YouTube Preview Image

Sun Coolstack and Webstack projects

Published on October 12, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

At Pixelpark, we use Solaris 10 as main production plattform for all our customers. All our web hosting customers need basic open source components like apache httpd, tomcat, mysql. Some of them are also using php, some are using mongrels, other glassfish V2 and so on. We always try to use the latest version of these components for security reasons and if we build high performance Web Sites, for performance. Today Solaris 10 U4 is offering outdated versions of apache, mysql and no php. Only Postgresql is up to date with Solaris 10 U4 (GREAT !!). Because we often (daily..) have to install these optimzied and up to date versions we have a couple of choices: Download binary distributions (like coolstack or from blastwave) or build these components on our own.

We hope, that the Sun Webstack project will bring us precompiled, optimized and up to date apache httpd, php, mongrel Versions with security relevant updates, soon. Maybe future Solaris 10 Updates (U5) will bring newer version of these main Web2.0 components that we do not have to compile, test, distribute, patch the components on our own.

Sun’s Niagara2 Processor

Published on August 3, 2007 in Sun Solaris, glassfish and pixelpark. 0 Comments Tags: , , , , , , , , .

More and more information about the upcoming Niagara2 Processor is on the web.

What’s new about the Ultrasparc T2 Processor?

  • 2nd generation CMT (Chip Multi-Threading) processor
  • 8 Sparc Cores, 4MB shared L2 cache; Supports concurrent execution of 64 threads
  • 2x UltraSparc T1′s throughput performance
  • 10x UltraSparc T1′s improvement in Floating Point throughput performance
  • Two 10G Ethernet ports on chip

Hope to see some SPECjAppServer2004 results for Niagara2 servers with Glassfish oder Bea Weblogic, soon.

Sun Java System Web Server 7.0 Update 1

Published on June 20, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

Sun Java System Web Server 7.0 Update 1 is released. The main new features are:

  • Accelerator Cache
  • Performance and stability improvements
  • Out-of-box Java support for Servlets 2.5, JSP 2.1, JSF 1.2
  • Support for Java SE 5.0 and 6
  • Support for NetBeans IDE 5.0, 5.5, and 5.5.1
  • Administration interface support for FastCGI

More in the Release Notes, you can download it here.

SPECjAPPServer2004 results for glassfish

Published on June 19, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

There are a couple of published results for glassfish V1 aka Sun Java Systems Application Server 9.0 on different types of Server hardware:

  • One Sun T2000, One 1,2Ghz T1, 8 Cores: 521,42 JOPS
  • Three Sun X4100, each two 2,6Ghz AMD Opteron, 4Cores: 720,56 JOPS

compared to Bea Weblogic 9.0:

Looking forward to see Glassfish V2 SPECjAPPServer2004 benchmarks for Servers with AMD Opteron, Intel Woodcrest Clovertown and Niagara2 …

OpenCms 7 on glassfish 2

Published on June 16, 2007 in glassfish. 6 Comments Tags: , , .

OpenCms 7,  a great Open Source CMS seems not to work on glassfish 2. We tried OpenCMS 6 last year with glassfish 1 and we had no problems, but didn’t go into production with this setting.

Solaris Express Developer Edition 5/07

Published on June 12, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

Solaris Express Developer Edition 5/07 is available now, and there are a lot of new features and packages within this distribution.

A couple of the interesting ones:

  • Glassfish Application Server (have to check the version)
  • Sun Studio 12
  • PostgreSQL 8.2.4
  • Apache 2.2.3 (have to check if mod_ldap is already compiled…)
  • and many more…

Full detailed what’s new pdf.

Hope to have these packages with Solaris 10 for production, soon. With Solaris 10, we’ re still on apache 2.0.x..
Tomcat and mysql bundled with Solaris 10 are also quite a bit too old for web2.0 projects, which we have in production today.

Currenty, I don’t findy any VMware images to download, only the usual setup DVD download.

glassfish in production

Published on June 3, 2007 in Sun Solaris and glassfish. 4 Comments Tags: , , , , , , , , , , , , , .

To run an J2EE application server like glassfish in production brings a lot of additional work after installation. While a simple installation for developers is easy, it seems no so easy today to bring glassfish in production. From my point of view, there are at least the following things to do for a production installation:

  • Add new user and group (e.g. glassfish) to /etc/passwd /and /etc/group
  • install latest jdk
  • install glassfish
  • setup and install start/stop scripts (smf on Solaris10)
  • install glassfish apache 2.2 ajp integration (example1 example2 example3)
  • configure glassfish logfile rotation
  • tune glassfish because default settings are not suitable for production ( a lot of parameters!)
  • harden glassfish because default security settings are not strong and secure enough
  • deploy jdbc configuration (jars + settings)
  • write scripts to integrate glassfish in your monitoring framework
  • write scripts to integrate glassfish in your deployment framework (e.g. Sun N1 SPS)
  • and of of course, this list is not complete

Nowadays, we have at least three (virtual) servers for each customer project. One for development, one for test and ond for production. This means to install and modify glassfish at least three times. But often, we also have hardware based load balancing in projects, that means to have at least two strings of glassfish for dev/test/prod or six installations alltogether!

Looking at the new glassfish V2 feature called application server usage profiles shows, that the three offered profiles (“developer”, “cluster”, “enterprise”) still leaking real production settings. A simple “production” or production-cluster profile would be nice. The production profiles should have tuned values (at least the parameters mentioned in the Sun Java System Application Server 9.1 PerformanceTuning Guide beginning on page 50) which makes it easier to setup glassfish for admins. The mentioned enterprise profile might be not the best for high traffic web 2.0 production web sites.

How do we do this job with other app servers? For a couple of customers, we’re using the Bea Weblogic Application Server. And we’re using the Sun N1 SPS Bea Weblogic module to install and configure Weblogic. N1 SPS also uses the possibility to run the WebLogic Scripting Tool (WLST) , which is a BEA tool for scripting the configuration of BEA WebLogic. WLST is a command-line scripting interface to monitor and manage BEA WebLogic Server instances and domains. The WLST scripting environment is based on the Java scripting interpreter, Jython.

Someting like this (GFST) would be cool to have for glassfish, too.

glassfish documentation

Published on May 29, 2007 in glassfish. 0 Comments Tags: , , , , , , , .

There’s a lot of documentation for glassfish V2 and the the Sun Java Enterprise System Application Server 9.2 distro on the web. Besides wikis and blogs, there’s the “official” documentation set for glassfish V2, which is the same as the documentation set for Sun Java Enterprise System Application Server 9.1.
Because there are differences between these two distributions, the documentation refers to them.
In the Installation Guide (which I checked first) for example, the different installation methods for these distributions are explained. For earlier Versions of the Sun Java Enterprise System Application, there’s another distribution with the Sun Java™ Enterprise System (Java ES) installer, which also refered in the “Uninstalling Application Server Software” chapter. So, maybe we’ll have three types of glassfish V2 distros and install methods in future?
After setting up glassfish V2 I was interested in tuning and what the Sun Java System Application Server 9.1 PerformanceTuning Guide recommends for production mode. Focusing on the administrative part, I was wondering if there are tips for modifing the default JVM and Solaris 10 settings for different type of Servers like the Sun T2000 Niagara server or Sun X4200 Galaxy AMD Opteron servers. Looking at the section “Tuning for Solaris”, gives me a couple of tuning parameters listed. Looking at them and comparing them to
the Solaris 10 Tunable Parameters Reference Manual shows up, that the suggested Tuning parameters are for Solaris 8 or 9 but not for Solaris 10. Disappointed looking around, I found interesting values to start with in the submitted SPEC jAppServer2004 Results for Sun Java Enterprise System Application Server 9.0 .
I raised issue #3082 for updating tuning parameters to Solaris 10.

UPDATE: Also see gfwiki.