From: Dominik Dorn <dominik.dorn_at_gmail.com>
Date: Thu, 17 Dec 2009 01:45:08 +0100

Hi,

I'm trying to get started with security and glassfish v3...

I created a user in the file - realm and added it to the Group "ADMIN"
(without quotes),
added this stuff to my web.xml:

    <security-role>
        <description>Administration Users</description>
        <role-name>ADMIN</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>whole page</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMIN</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/loginError.xhtml</form-error-page>
        </form-login-config>
    </login-config>

created a sun-web.xml with this content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE
Application Server 7.0 Servlet 2.3//EN'
        '
http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd'>
<sun-web-app>
    <security-role-mapping>
        <role-name>ADMIN</role-name>
        <principal-name>domdorn</principal-name>
        <group-name>ADMIN</group-name>
    </security-role-mapping>

    <security-role-mapping>
        <role-name>noaccess</role-name>
        <principal-name>noaccess</principal-name>
    </security-role-mapping>
</sun-web-app>


when i log myself into the application, I get the following responses:

request.userPrincipal: domdorn
request.remoteUser: domdorn
request.authType: FORM
request.isUserInRole("ADMIN"): false

and when i try to access a page which accesses protected beans, like this
one:
@ManagedBean
@Stateless
@DeclareRoles({"USER", "ADMIN"})
public class MemberListService {

    @EJB
    private PersonDao personDao;

    public MemberListService() {
    }

    @RolesAllowed({"ADMIN"})
    public List<Person> findAll() {
        return personDao.findAll();
    }

    @RolesAllowed({"ADMIN"})
    public void persist(Person person) {
        System.out.println("Memberlistservice: persist");
        personDao.persist(person);
    }
}

I get the exceptions that are attached to this mail.

What am I doing wrong?

Please help.

Thanks.

Dominik Dorn