Payara inherits Jakarta EE server controls plus Payara-specific hardening features. Focus on secure admin access, TLS, and patch discipline.
¶ 1) Secure admin and asadmin access
- Change default admin credentials immediately.
- Restrict admin console and admin listener to private network/VPN.
- Disable remote admin where not required.
- Audit
asadmin usage and administrative role assignments.
¶ 2) Enforce TLS and secure connectors
- Enable HTTPS listeners with strong protocol/cipher settings.
- Protect keystore/truststore locations.
- Require secure transport for JDBC/JMS where supported.
- Enable secure session cookie flags.
¶ 3) Keep runtime and apps hardened
- Disable unused network listeners and services.
- Run Payara under non-root service account.
- Apply monthly Payara patches and JDK updates.
- Monitor server logs for failed auth and deployment issues.
¶ Verification commands
/opt/payara/bin/asadmin list-network-listeners
/opt/payara/bin/asadmin get server-config.security-service.audit-enabled
grep -R "admin-listener\|http-listener\|ssl" /opt/payara/glassfish/domains/domain1/config/domain.xml
- Payara Security Guide: https://docs.payara.fish/community/docs/Technical%20Documentation/Application%20Development/Securing%20Applications.html
- Payara hardening notes/blog: https://payara.fish/blog/
- Payara source: https://github.com/payara/Payara