users@glassfish.java.net

Re: Please help me verify this security bug

From: <glassfish_at_javadesktop.org>
Date: Tue, 25 Sep 2007 06:32:20 PDT

I also have a problem, Java 1.5, Glassfish v2 b58 but Windows XP SP2 - however, I'm not convinced it's not me being dumb so I'm hoping someone may spot my mistake if there is one. I am using a JDBC realm which is working fine but I'm having trouble getting security constraints to work properly as per the mappings in web.xml/sun-web.xml.

I am a Glassfish newbie (Tomcat, OC4J previously) but this app was working fine on Tomcat 5.5 and still is - the only new bit is sun-web.xml. I can see from the server.log that the logon is being validated fine (see below) but the resource is not granted. I've pasted a snippet from the 2 .xml files which I hope might help as I can't for the life of me see what is wrong here.

web.xml extract:
<security-constraint>
<display-name>PP booking system</display-name>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/booking/*</url-pattern>
</web-resource-collection>
<auth-constraint>
        <role-name>booking</role-name>
</auth-constraint>
</security-constraint>
        
<security-role>
<description>Booking constraint</description>
<role-name>booking</role-name>
</security-role>

and later <servlet> and <servlet-mapping elements for the booking servlet which seem to work fine



sun-web.xml

<sun-web-app>
  <context-root>/ppui</context-root>
  
<security-role-mapping>
<role-name>booking</role-name>
<principal-name>democustomer_booking</principal-name>
<group-name>booking</principal-name>
 </security-role-mapping>
 </sun-web-app>


Log:
[#|2007-09-25T13:59:33.671+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=initialize;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule|#]

[#|2007-09-25T13:59:35.343+0100|FINEST|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.enterprise.security.auth.login.JDBCLoginModule;MethodName=authenticate;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|JDBC login succeeded for: democustomer_booking groups:[Ljava.lang.String;@7cbe54|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=login;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|JAAS login complete.|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=commit;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|JAAS authentication committed.|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPasswordLogin;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|Password login succeeded for : democustomer_booking|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPasswordLogin;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|Set security context as user: democustomer_booking|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=setPolicyContext;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Policy Context ID was: ppui/ppui|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Generating a protection domain for Permission check.|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Checking with Principal : democustomer_booking|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Checking with Principal : booking|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Codesource with Web URL: file:/ppui/ppui|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Checking Web Permission with Principals : democustomer_booking, booking|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /booking GET)|#]

[#|2007-09-25T13:59:35.343+0100|FINEST|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImplies;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|JACC Policy Provider: PolicyWrapper.implies, context (ppui/ppui)- result was(false) permission ((javax.security.jacc.WebResourcePermission /booking GET))|#]

[#|2007-09-25T13:59:35.343+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8085-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermission;_RequestID=181440d6-5b0f-4700-a079-f126a90e1a0d;|[Web-Security] hasResource isGranted: false|#]



I'm using the same web.xml that I previously used with no problems in Tomcat 5.5

Any ideas ? I'll try with Java 1.6 and see if that makes any difference too.
[Message sent by forum member 'richliv' (richliv)]

http://forums.java.net/jive/thread.jspa?messageID=236950
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.