users@glassfish.java.net

Re: SecurityManager permission debugging?

From: Ron Monzillo <Ronald.Monzillo_at_Sun.COM>
Date: Wed, 30 Jul 2008 10:33:01 -0400

Rajeev Angal wrote:
> Hi,
> Is there a security related logs that I can turn on and inspect to
> trackdown a issue using embedded OpenDS on AS91.U1 EE or GFv2UR1 ?
> Things work fine if teh security manager is turned on - so we suspect
> some permission is being violated .
>
> thanks,
> -rajeev
>

If you mean, things work fine unless the security manager is turned on,
and assuming OpenDS is embedded within the app server, then "most"
failed permission checks are logged in server.log (by the default jacc
provider).

Look for the string "domain that failed". The log msg will show the
permission check that failed, including the protection domain that was
denied the permission.

there are also some other side-effects of truning off the security
manager, e.g., no call to doAsPriv is made before dispatch into an
application, but not having a requried permission is more likely to surface.

Ron

failed checks of WebResourcePermission, MBeanPermission,
WebRoleRefPermision, and EJBRoleREfPermission are not logged (unless you
  increase the SECURITY logging level top FINEST.