users@glassfish.java.net

Sometimes login does not work with JDBCRealm

From: <glassfish_at_javadesktop.org>
Date: Tue, 05 May 2009 00:43:15 PDT

Sometimes the user cannot be authenticated in Glassfish (v2ur2-b04 and v2.1-b60e):

The log says:
[#|2009-04-30T13:11:38.812+0200|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=30;_ThreadName=httpSSLWorkerThread-8080-3;|JACC Policy Provider: PolicyWrapper.implies, context(..._war)- permission((javax.security.auth.AuthPermission createLoginContext.jdbcRealm)) domain that failed(ProtectionDomain (file:/C:/..._jar/ <no signer certificates>)
 EJBClassLoader :
urlSet = [URLEntry : file:/C:/...]
doneCalled = false
 Parent -> EJBClassLoader :
urlSet = []
doneCalled = false
 Parent -> java.net.URLClassLoader_at_1a0d866


 <no principals>
 java.security.Permissions_at_ecb74e (
 (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
 (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
 (java.net.SocketPermission localhost:1024- listen,resolve)
 (java.net.SocketPermission * connect,resolve)
 (java.lang.RuntimePermission getClassLoader)
 (java.lang.RuntimePermission loadLibrary.*)
 (java.lang.RuntimePermission accessDeclaredMembers)
 (java.lang.RuntimePermission getProtectionDomain)
 (java.lang.RuntimePermission modifyThreadGroup)
 (java.lang.RuntimePermission stopThread)
 (java.lang.RuntimePermission setContextClassLoader)
 (java.lang.RuntimePermission queuePrintJob)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission * read,write)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission os.arch read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission java.specification.vendor read)
 (javax.management.MBeanTrustPermission register)
 (unresolved javax.security.jacc.WebUserDataPermission /client-file-sync null)
 (unresolved javax.security.jacc.WebUserDataPermission /:/client-file-sync:/client-sync-stream:/fileDownload/* null)
 (unresolved javax.security.jacc.WebUserDataPermission /client-sync-stream null)
 (unresolved javax.security.jacc.WebUserDataPermission /fileDownload/* null)
 (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
 (unresolved javax.security.jacc.WebResourcePermission /:/client-file-sync:/client-sync-stream:/fileDownload/* null)
 (unresolved javax.security.jacc.WebResourcePermission /client-file-sync !GET,POST)
 (unresolved javax.security.jacc.WebResourcePermission /client-sync-stream !GET,POST)
 (unresolved javax.security.jacc.WebResourcePermission /fileDownload/* !GET,POST)
 (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
 (unresolved ognl.OgnlInvokePermission * null)
 (java.lang.reflect.ReflectPermission suppressAccessChecks)
 (java.io.FilePermission C:\development\Server\Working\- delete)
 (java.io.FilePermission C:\development\Server\Documents\- delete)
 (java.io.FilePermission C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\\- delete)
 (java.io.FilePermission C:/development/glassfish/domains/centerware2\lib\databases\- delete)
 (java.io.FilePermission <<ALL FILES>> read,write)
)

)|#]

[#|2009-04-30T13:11:38.812+0200|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=30;_ThreadName=httpSSLWorkerThread-8080-3;51001;|SEC5046: Audit: Authentication refused for [51001].|#]

[#|2009-04-30T13:11:38.812+0200|WARNING|sun-appserver9.1|javax.enterprise.system.container.web|_ThreadID=30;_ThreadName=httpSSLWorkerThread-8080-3;_RequestID=ffb6a51b-f904-4275-b8dd-1d7179e7fd1c;|Web login failed: Login failed: java.security.AccessControlException: access denied (javax.security.auth.AuthPermission createLoginContext.jdbcRealm)|#]

I tried to add the following permission in server.policy:
grant {
    permission javax.security.auth.AuthPermission "createLoginContext.*";
}

Then I get another error:
[#|2009-05-04T17:11:43.281+0200|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=31;_ThreadName=httpSSLWorkerThread-8080-3;|JACC Policy Provider: PolicyWrapper.implies, context(..._war)- permission((javax.security.auth.AuthPermission doAsPrivileged)) domain that failed(ProtectionDomain (file:/C:/..._jar/ <no signer certificates>)
 EJBClassLoader :
urlSet = [URLEntry : file:/C:/...]
doneCalled = false
 Parent -> EJBClassLoader :
urlSet = []
doneCalled = false
 Parent -> java.net.URLClassLoader_at_4cd580


 <no principals>
 java.security.Permissions_at_140733d (
 (javax.security.auth.AuthPermission createLoginContext.*)
 (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
 (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
 (java.net.SocketPermission localhost:1024- listen,resolve)
 (java.net.SocketPermission * connect,resolve)
 (java.lang.RuntimePermission getClassLoader)
 (java.lang.RuntimePermission loadLibrary.*)
 (java.lang.RuntimePermission accessDeclaredMembers)
 (java.lang.RuntimePermission getProtectionDomain)
 (java.lang.RuntimePermission modifyThreadGroup)
 (java.lang.RuntimePermission stopThread)
 (java.lang.RuntimePermission setContextClassLoader)
 (java.lang.RuntimePermission queuePrintJob)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission * read,write)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission os.arch read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission java.specification.vendor read)
 (javax.management.MBeanTrustPermission register)
 (unresolved javax.security.jacc.WebUserDataPermission /client-file-sync null)
 (unresolved javax.security.jacc.WebUserDataPermission /:/fileDownload/*:/client-sync-stream:/client-file-sync null)
 (unresolved javax.security.jacc.WebUserDataPermission /client-sync-stream null)
 (unresolved javax.security.jacc.WebUserDataPermission /fileDownload/* null)
 (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
 (unresolved javax.security.jacc.WebResourcePermission /:/fileDownload/*:/client-sync-stream:/client-file-sync null)
 (unresolved javax.security.jacc.WebResourcePermission /client-file-sync !GET,POST)
 (unresolved javax.security.jacc.WebResourcePermission /client-sync-stream !GET,POST)
 (unresolved javax.security.jacc.WebResourcePermission /fileDownload/* !GET,POST)
 (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
 (unresolved ognl.OgnlInvokePermission * null)
 (java.lang.reflect.ReflectPermission suppressAccessChecks)
 (java.io.FilePermission C:\development\Server\Working\- delete)
 (java.io.FilePermission C:\development\Server\Documents\- delete)
 (java.io.FilePermission C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\\- delete)
 (java.io.FilePermission C:/development/glassfish/domains/centerware2\lib\databases\- delete)
 (java.io.FilePermission <<ALL FILES>> read,write)
)

)|#]

[#|2009-05-04T17:11:43.281+0200|SEVERE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=31;_ThreadName=httpSSLWorkerThread-8080-3;_RequestID=fbfa04b9-ec95-469d-b7b1-a7f20c378daa;|SEC5048: doAsPrivileged AuthPermission required to set SecurityContext.
java.security.AccessControlException: access denied (javax.security.auth.AuthPermission doAsPrivileged)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at com.sun.enterprise.security.SecurityContext.setCurrent(SecurityContext.java:324)
        at com.sun.enterprise.security.auth.LoginContextDriver.setSecurityContext(LoginContextDriver.java:719)
        at com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:321)
        at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:170)
        at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:123)
        at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:479)
        at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:447)
        at com.sun.enterprise.webservice.EjbWebServiceServlet.doSecurity(EjbWebServiceServlet.java:304)
        at com.sun.enterprise.webservice.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:200)
        at com.sun.enterprise.webservice.EjbWebServiceServlet.service(EjbWebServiceServlet.java:155)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
        at com.sun.enterprise.web.AdHocContextValve.invoke(AdHocContextValve.java:114)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:87)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
        at com.sun.enterprise.web.connector.grizzly.comet.CometEngine.executeServlet(CometEngine.java:547)
        at com.sun.enterprise.web.connector.grizzly.comet.CometEngine.handle(CometEngine.java:299)
        at com.sun.enterprise.web.connector.grizzly.comet.CometAsyncFilter.doFilter(CometAsyncFilter.java:87)
        at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.invokeFilters(DefaultAsyncExecutor.java:175)
        at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.interrupt(DefaultAsyncExecutor.java:153)
        at com.sun.enterprise.web.connector.grizzly.async.AsyncProcessorTask.doTask(AsyncProcessorTask.java:92)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)

There seems to be only classes involved from glassfish/lib directory, so why this problem!?
See server.policy:
// Core server classes get all permissions by default
grant codeBase "file:${com.sun.aas.installRoot}/lib/-" {
    permission java.security.AllPermission;
};


Seems an equal problem as with this bug: https://glassfish.dev.java.net/issues/show_bug.cgi?id=6711

As workaround what other permissions do I need?

Perhaps:
grant {
   permission javax.security.auth.AuthPermission "createLoginContext.*";
   permission javax.security.auth.AuthPermission "doAs";
   permission javax.security.auth.AuthPermission "readPrivateCredentials";
   permission javax.security.auth.AuthPermission "modifyPrincipals";
   permission javax.security.auth.AuthPermission "modifyPublicCredentials";
   permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
};
??????????
[Message sent by forum member 'liebsche' (liebsche)]

http://forums.java.net/jive/thread.jspa?messageID=344993
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.