Disable or hide "ejb-timer-service-app" on Glassfish/Payara

Question

Running a stock Glassfish or Payara Server there is a default application deployed called "ejb-timer-service-app" which includes a web frontend at http://localhost:8080/ejb-timer-service-app/timer

More information here: https://docs.oracle.com/cd/E18930_01/html/821-2418/beahw.html

Sadly the frontend is not reachable over the protected admin console (port 4848) but over the main host (port 8080 and 8181). So everyone knowing my server URL can access this page.

Is there a way to deactive the app (not the ejb-timer-service itself) or at least make the frontend-page no longer accessable (hide it) without some fancy firewall or loadbalancer configurations?

Answer 1

Apparently there is currently no way to disable the application out of the box. I requested a new features for payara over at github: https://github.com/payara/Payara/issues/1803

Because the ejb-timer-service-app.war is required for the application server in order to provide the EJB timerservice it can't be deleted.

However I've created a workaround to at least disable the frontend part:

I did some quick tests locally on how to remove the frontend without damaging the EJB timer-service. Here is what I've changed inside the ${PAYARA_HOME}/glassfish/lib/install/applications/ejb-timer-service-app.war:

Delete file WEB-INF\sun-web.xml
Delete file WEB-INF\web.xml
Delete folder WEB-INF\classes\com

Shell commands:

zip -d ejb-timer-service-app.war "WEB-INF/sun-web.xml"
zip -d ejb-timer-service-app.war "WEB-INF/web.xml"
zip -d ejb-timer-service-app.war "WEB-INF/classes/com/*"

If the domain has been started before you also have to delete the folder glassfish\domains\domain1\applications\ejb-timer-service-app to clean up the already deployed frontend.

After a domain restart the servlet at http://localhost:8080/ejb-timer-service-app/timer is no longer available (HTTP 404) nevertheless the EJB timers are working properly