Coming Up for Air



  • Jerkey: A Kotlin DSL for Jersey

    I’m currently working on a DSLs-in-Kotlin presentation for my local JUG, so I need a good domain in which to work. HTML is a great sample domain, but it’s been done to death. After a bit of head scratching, I’ve come up with what is, I think, a somewhat novel domain: REST application building. Sure, there are libraries like Ktor, but suffers from some very serious NIH. I’m totally kidding, but the dearth of discussions regarding REST applications and DSL construction was good enough for me, so let’s see what we have so far.



  • Changing the GlassFish Admin Users's Password Programmatically

    Recently, in the #glassfish channel on Freenode, a user was having trouble configuring GlassFish in a Docker environment. He was scripting the configuration of the server, but was having trouble setting the admin user’s password, since the change-admin-password command takes input from stdin. Fortunately, there’s REST API for that. This curl command will do what the user needs to do without any need for additional input:

    curl  -X POST \
        -H 'X-Requested-By: YeaGlassFish' \
        -H "Accept: application/json" \
        -d id=admin \
        -d AS_ADMIN_PASWORD=password \
        -d AS_ADMIN_NEWPASSWORD=password2 \

    Once the password is set, this same command can be used to change the password, but --user admin:$PASSWORD must be added to authenticate the request.

    I should note that I don’t think this is an officially supported way to execute asadmin commands. It works, but it may change, or it may go away. I would say that Oracle may not support doing this either, but they don’t offer any support, so there’s no harm there. :) Also note that AS_ADMIN_PASWORD has a typo in it that may be fixed in future releases of the server. Caveat emptor! :)





  • A Simple OAuth2 Client and Server Example: Part II

    In the last post, we took a look at the server side of our OAuth2 system. In this post, we’ll take a quick look at the unit tests that will act as TheUser.

  • A Simple OAuth2 Client and Server Example: Part I

    When implementing web site security, OAuth2 almost always comes up. We’ve had requests to implement OAuth2 in the GlassFish REST interface, and, it turns out, I have a similar need on a personal project. Looking at the spec, though, OAuth2 can be pretty daunting. Fortunately, you don’t need to understand it all, and Apache has a project, Oltu (nee Amber) that handles most of the implementation.




  • Using Server Sent Events and the GlassFish REST Interface

    Wikipedia defines Server-Sent Events as "a technology for providing push notifications from a server to a browser client in the form of DOM events. The Server-Sent Events EventSource API is now being standardized as part of HTML5 by the W3C." It’s a great alternative to polling the server for updates. Long story short, thanks to the work of the Jersey team, we have "easy" access to this in GlassFish, and we’ve added support for it to our RESTful administration interface. Let’s take a look at a quick sample.


  • Writing Pluggable Java EE Applications, The Explanation

    I recently posted the slides and the source code from the presentation I gave at JAXConf San Francisco. While that’s helpful for those who were in my session, it’s probably less so for those who weren’t. What I’ll do in this post, then, is discuss the slides and code in detail, skipping over the introductory slides, and getting right to the heart of the matter.


  • GlassFish 3.1.2, REST Security, and the Jersey Client

    I recently blogged about a change we made in GlassFish 3.1.2 with regard to REST security. Specifically, we added some CSRF protection (you can read the details here). For those of you using the Jersey Client, updating your code to support this change is very simple:

    import com.sun.jersey.api.client.filter.CsrfProtectionFilter;
    // ...
    Client client = new Client();
    client.addFilter(new CsrfProtectionFilter());
    // ...

    On the client side, that’s all you have to change. Jersey will take care of the details.

    Hat tip to Dan Allen for suggesting this post. :)

  • GlassFish 3.1.2 and REST Security

    As you may know by now, we released GlassFish 3.1.2 yesterday. Tim Quinn has a nice overview of some of the security-related changes, but one change he didn’t cover was one in the RESTful administration area, namely CSRF protection. I won’t go into the details of what CSRF attack is here, but I do want to show we’ve added protections to GlassFish to make sure the server is as secure as possible.

    For the curious, we implemented the CSRF protection using a filter provided by the Jersey team. As you can see from the javadoc, this change only affects requests that change state (POST, PUT, DELETE, etc). To update your client code, all you need to do is add the X-Requested-By header. Its value doesn’t matter:

    curl -X POST -H 'X-Requested-By: YeaGlassFish' -d key=value \

    That’s all there is to it. It’s a very simple change, but an important one. If you run into any issues with this, please let us know!


  • A Jersey POJOMapping Client/Server Example

    JAX-RS is the specification that describes how to build RESTful interfaces in a Java EE environment. Jersey is the reference implementation of that spec, and, like many implementations, offers features above and beyond what spec does. One feature that I’ve been working with recently is the POJOMapping feature, which makes writing services and clients much easier, as well as typesafe.




  • GlassFish REST Client -

    In a series of recent posts, I’ve shown off what the GlassFish 4.0 REST client wrappers should look like, giving simple examples of using the wrappers using both Java and Python, the two currently supported languages. In this post, we’ll take a look at a more complex example, that of setting up clusters and standalone instances, deploying an app, then cleaning up after ourselves. Let’s jump right in.

  • GlassFish REST Client Goes to the Flying Circus

    It happened a bit more quickly than I had planned, and, yes, I know that’s a pretty bad Python joke, but, as promised, I just committed code to add support for generating Python REST clients to the GlassFish RESTful Administration interface. Let’s take a quick look at it.

  • GlassFish REST Interface, a Client-side Perspective

    As I’ve covered here before, GlassFish sports (and has for a while now), a pretty comprehensive set of management and monitoring REST endpoints. While this goes a long way toward opening up GlassFish management to various scripting solutions, the client side is still pretty manual. One my goals in GlassFish 4.0 is to fix that. In this article, I’m going to give you a sneak peak into what we on the REST team have planned for the GlassFish RESTful administration interface.


  • Managing GlassFish JDBC Resources via REST

    I was asked this morning about creating JDBC resources via REST. As with user management, it’s actually pretty simple, once you’ve seen how. Let’s take a look.

  • Adding Users to a GlassFish Realm via REST

    A user on the GlassFish forums recently asked how to create users in bulk. The asadmin command create-file-user doesn’t support passing the password as a parameter, which makes scripting difficult. The REST interface, though, can help there, and it’s really pretty simple.

  • Debugging GlassFish REST Requests

    If you’ve been following my series on using the GlassFish REST interface, you’ve probably noticed that your JSON and XML output isn’t pretty-printed like mine. While there are several online tools that can fix that for you, there’s no need for the extra step. GlassFish will do that for you. Let’s look at how to make that happen.


  • RESTful GlassFish Monitoring

    In previous posts, I’ve shown various ways to manage a GlassFish 3.1 server via its REST interface. As nice as that is, we also support monitoring your server via REST as well. In this article, we’ll take a look at some of the things you can ask of your server.

  • GlassFish 3.1, REST, and Secure Admin

    After posting my last entry, GlassFish 3.1, REST, and a Secured Admin User, I was asked about an entry on using GlassFish 3.1’s REST interface with secure admin enabled. Some of you may be asking, "Isn’t that what you just wrote about?" While the titles sound the same, they’re slightly different, but in a very significant way. Let’s take a quick look at secure admin and then see what our REST client needs to do make use of this new server configuration.

  • GlassFish 3.1, REST, and a Secured Admin User

    In my last post on using the GlassFish REST interface, a commenter asked about how GlassFish handles security. So far, all of my examples have been using GlassFish 3.1 out of the box, which doesn’t require authentication (as a convenience for developers, as well as system admins evaluating the server). In production, of course, the server will be secured, which means our client code will have to be modified. In this installment, we’ll see how that might be done in Java.

  • Deploying Applications to GlassFish Using curl

    Over the past few months, I’ve been posting tips on how to use the REST interface in GlassFish v3 and later to perform various functions. My last post used Scala. In this much briefer and far less ambitious post, I thought I’d share how to deploy an app using curl (from the shell of your choice). If you’re familiar with the REST endpoint, there’s really not just a whole lot new here:




  • GlassFish Administration: The REST of the Story Part I

    Of the many great things about GlassFish, one that is often mentioned most (and is, in fact, what got me involved with GlassFish as an end user years ago) is the Administration Console. It’s an extremely powerful and capable interface, and is, if I may be so bold, orders of magnitudes better than its open source competition (it may even beat commercial competitors, but I have no experience with those). Another powerful tool in GlassFish administration is the asadmin CLI utility, which allows for quick and easy scripting of server provisioning, etc. Did you know, though, that GlassFish has a third administration interface? As of GlassFish v3, we offer a RESTful administration API, based on Jersey, to allow non-Java clients to configure the app server easily. For GlassFish 3.1, one of my main responsibilities, with the help, I should add of my coworkers Ludovic Champenois and Mitesh Meswani, has been to help improve upon the great start we had in in v3. In this entry, we’ll take a look at the current state of the interface and learn the basics of using.

My Links


Sample quote

Quote source