With understanding of secure Internet connections limited to SSL, I'm doubtful about the security of GlassFish Admin console. Normal secure HTTP connections use https://domain/ URLs but in GlassFish http://domain:4848/ is used to login to Admin console. Is there some kind of encryption going on between the browser and the server when using that administration port, or does all that communication go unsecurely, naked to possible hackers?
GlassFish documentation guide how to use the Admin console but I haven't found any mention about this security concern.
SSL can be enabled for Admin console inside Admin console -> Configurations -> HTTP Service -> HTTP Listeners -> admin-listener
(responsible for listening for 4848 port)
There is a secure checkbox option that is not enabled by default. After enabling it Admin console will force the use of SSL. For example http:/domain:4848/ redirects to https://domain:4848/
..not entirely sure if just checkin secure option for admin-listener did the trick, as saving the change the console froze. After that I also changed AS_ADMIN_SECURE=true in GlassFish's config/asadminenv.conf.
I don't know if this is a Glassfish v3.1 only feature but you can turn on SSL on console admin by running the following command
asadmin enable-secure-admin
As it's described here http://blogs.oracle.com/quinn/entry/securing_adminstration_in_glassfish_server1
If you have an install script in order to be able to install your development/production environment reliably again and again, you might want to set the corresponding glassfish property at that script using this line:
asadmin set --port 4848 --user admin --passwordfile password-file.txt server.http-service.http-listener.admin-listener.security-enabled=true
"checkin secure option for admin-listener" is working after I restart the server.
If it used SSL, you would access it as https://domain:4848/
You can see more information by choosing "Page info" from your browser's menu. If you have accessed the page through an https URL, you should see a small lock icon somewhere on the browser window, and that icon should be clickable.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 戒情不戒烟 的文章《Is GlassFish Admin console (port 4848) secure?》','https://www.manongdao.com/article-401550.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}