dev@glassfish-samples.java.net

Re: Samples for JACC and JASPI with glassfish

From: Rejeev Divakaran <rejeev_at_gmail.com>
Date: Mon, 2 Jul 2007 10:56:26 +0530

Hi,
I have developed a sample JMAC provider and configured a small web
application with it. Authentication works fine however authorization fails.
I have turned log level for security to finest got the below mentioned log
entries. It looks like '
com.sun.web.security.WebSecurityManager.checkPermission' fails.
I am using a custom Implementation of java.security.Principal interface.
Isn't it OK?
I am I supposed to use GSS-API for creating Principal?

Any other clue what could be wrong?

Regards,
Rejeev.

Log entries:

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=setPolicyContext;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
Policy Context ID was: hello1/hello1|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
Generating a protection domain for Permission check.|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
Checking with Principal : admin|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
Codesource with Web URL: file:/hello1/hello1|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
Checking Web Permission with Principals : admin|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
Web Permission = (javax.security.jacc.WebResourcePermission /index.jsp
GET)|#]

[#|2007-07-02T09:31:
47.926+0530|FINEST|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImplies;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|JACC
Policy Provider: PolicyWrapper.implies, context (hello1/hello1)- result
was(false) permission ((javax.security.jacc.WebResourcePermission /index.jsp
GET))|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
hasResource isGranted: false|#]

[#|2007-07-02T09:31:
47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15
;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=
com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
hasResource perm: (javax.security.jacc.WebResourcePermission /index.jsp
GET)|#]
On 6/23/07, Rejeev Divakaran <rejeev_at_gmail.com> wrote:
>
> Hi Ron,
> Thanks for the detailed mail!
> I have come across your articles while browsing (especially the JavaOne
> BOF presentation on the same topic) and wanted to contact you. I have gone
> through
> http://spnego.ocean.net.au/documentation/configuring_spnego_in_glassfish.htmlalso previously. Thanks Sreenivas for getting in touch with Ron.
> I agree with Ron's suggested phases (my choice of EJB was rather arbitrary
> (may be just to demonstrate the usage of client side APIs)).
> pahse 3 will be very good usecase. We can use JACC api for providing a
> centrally administered policy server (Some of the leading security products
> provide such functionalities).
>
> I will follow as below.
> phase 1: Web application with local SAM
> phase 2: SSO for web application with shared network authentication
> service
> phase 3: usage of central policy server with JACC api
> I will keep you updated as I progress.
>
> Regards,
> Rejeev.
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.