GlassFish security is centered on domain-level admin controls, secure listeners, and strict application deployment policy.
¶ 1) Secure domain admin plane
- Set strong admin credentials and disable anonymous admin behaviors.
- Restrict admin listener to local/private interfaces.
- Use separate admin and runtime network paths.
- Audit domain admin changes and config drift.
¶ 2) Harden listeners and certificates
- Enable HTTPS listeners and disable unused HTTP listeners.
- Maintain keystore/truststore with restricted filesystem permissions.
- Enforce modern TLS protocols/ciphers.
- Use secure JDBC and external service connections.
¶ 3) Deployment and runtime controls
- Disable auto-deploy directories in production.
- Run GlassFish under dedicated non-root account.
- Patch GlassFish and JDK together.
- Remove example/sample apps and unused modules.
¶ Verification commands
/opt/glassfish/glassfish/bin/asadmin list-network-listeners
/opt/glassfish/glassfish/bin/asadmin get configs.config.server-config.admin-service.das-config.*
grep -R "admin-listener\|http-listener\|ssl" /opt/glassfish/glassfish/domains/domain1/config/domain.xml
- Eclipse GlassFish docs: https://glassfish.org/docs/
- GlassFish source: https://github.com/eclipse-ee4j/glassfish
- Legacy GlassFish Security Guide (concepts still relevant): https://docs.oracle.com/cd/E18930_01/html/821-2435/