Setup of GlassFish and security measures

last modified: 2018-02-04

Clément Levallois


  • I use Debian, version 8.7 (why?)

  • Vi is used as a text editor in the following

Installing the JDK 8

Create a new file:

sudo vim /etc/apt/sources.list.d/java-8-debian.list

add these lines:

Close the file.

get the certif key:

sudo apt-key adv --keyserver --recv-keys EEA14886

install the JDK 8:

sudo apt-get update && sudo apt-get install oracle-java8-installer

Set the env variables straight:

sudo apt-get install oracle-java8-set-default

Installing Glassfish 4.1

We will install it in /opt/app-server

create a glassfish user (here the -m option creates its home directory if not already present):


maybe a good idea to choose a user name different from glassfish - default values are always to be avoided.

adduser glassfish -shell /bin/bash passwd glassfish adduser glassfish sudo

//ST: !
change to user glassfish
su - glassfish

mkdir /opt/app-server make the user owner of /opt/app-server:

sudo chown -R glassfish /opt/app-server
sudo chmod -R 700 /opt/app-server

download glassfish from here:

cd /opt/app-server

sudo apt-get install zip unzip unzip

Glassfish is now installed.

Hardening Glassfish 4.1

We can access glassfish commande line by doing:

cd glassfish4/glassfish/bin


Change the masterpassword:

change-master-password --savemasterpassword

(put "changeit" when the default password is asked, then choose your own)

We will now delete the default domain ("domain1") and create a new one. 2 reasons for this:

  • We will create a domain with a custom name, to avoid using the default value.

  • Create a domain from scratch allows to make use of the nice "portbase" option:

→ The "portbase" option allows for creating a set of ports different from the default ones.

delete-domain domain1
create-domain --portbase 17390 yourcustomdomain

just letters and numbers in the domain name.

So, with portbase 17390 (choose your own value instead), the port for the GlassFish GUI console will be 17390+ 48 = 17438

Add a tunnel for port 17438 in your SSH connection. Restart your SSH connection.

Go back to /opt/app-server/glassfish-4/glassfish/bin and ./asadmin


If you tunneled the port 17438 in your SSH, you can now go to http://localhost:17438

In the GUI console,

  • change the admin password

  • change the "Address field" in http-listener-2 sub menu to the IP of the server.

  • change the content of /domains/yourcustomdomain/docroot/index.html → "my server is online"

  • create an "errorpages" subdir in your domain root folder and an error page in /domains/yourcustomdomain/errorpages/404.html

Then, in the GUI console, point to this file via:

Configuration|Virtual Server|server
name: send-error_1
value: code=404 path=/errorpages/404.html reason=Resource_not_found

Hide the identity of the server in the headers:

  • In Network-config → Network-listeners → http-listeners (1 et 2) → HTTP tab: turn off the "XPowered By:" header with your http-listener

  • add a JVM-Option""

the end

Author of this tutorial: Clement Levallois

All resources on linux security: