For reasons beyond my comprehension, GlassFish refuses to play ball with iptables. That is, with all the correct redirection rules in place, it won't receive any redirected traffic. So I'm at plan B which is to bind GlassFish to ports 80 and 443 rather than 8080 and 8181.
As I don't want to run GlassFish as root for security reasons, I need to grant the user account that is running it with sufficient privileges to bind to ports 80 and 443. From a security point of view, it's not risky because iptables is blocking all the other ports.
In Centos 6.4, what command(s) do I execute to allow a specified non-root user to directly listen to ports < 1024?
Please don't suggest drastic solutions that involve downloading (and compiling) stuff from random locations. I need something reproducible, so if any dependencies need to be brought in, they need to come from Centos's package repository.
No, you don't want to do this.
Instead, pick your favorite web server (I prefer nginx), and use that to proxy requests from port 80 to wherever glassfish is listening.
The config bits for doing this are very simple, and you'll end up with a far more secure and more manageable system.
The authbind tool will work. Just install/unpack it and prepend it to your command. For my installation I edited /usr/share/java-utils/java-functions and called $JAVACMD with it and it worked with no problem.
You ought to be able to use capabilities (7) to accomplish this. See e.g. https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l/414258#414258 for lots of information.
I'm not specifically familiar with GlassFish so my reservation with this approach is that you may need to grant the CAP_NET_BIND_SERVICE capability to Java as a whole, which of course would be risky. Making a copy of the Java binary specifically for this purpose is one (also imperfect) option.