users@glassfish.java.net

Re: JACC Intermittent problem

From: <Ronald.Monzillo_at_Sun.COM>
Date: Thu, 28 Jan 2010 18:08:25 -0500

On 01/28/10 16:55, Vincent Deschênes wrote:
>
> We have an application that is serving web service from ejb.
>
>
>
> When testing our web service we have intermittent authorization error
> with log like this:
>
>
>
> INFO|glassfishv3.0|javax.enterprise.system.core.security|_ThreadID=35;_ThreadName=Thread-1;|JACC
> Policy Provider: Failed Permission Check,
> context(applicationName/EJB_jar)-
> permission((javax.security.jacc.EJBMethodPermission
> FepInterfaceService
> preAllocateAssessment,ServiceEndpoint,com.stelvio.WebService.fep.PreAllocateAssessmentRequest))|#]
>
>
>
> The exact same request can pass many times and suddenly give this
> error once or twice and then it will continue to work.
>
>
>
> We have tried both JACC provider (default and simple) with the same
> result.
>
>
>
> Anyone has an idea ?
>
Vincent,

Since both providers are effected, my hunch is that there may be a
problem in the authentication state, perhaps a
problem with the protection domain cache, the realm, or the role mapping
system.

In any event, if you set the security logging level to FINE, and
configure the default policy provider,
then the provider will also log the failing protection domain; which
will let us see what principals are
being applied in the access decision.

asadmin list-logger-levels
asadmin set-log-level javax.enterprise.system.core.security=FINE

unfortunately, a lot more stuff will appear in the log. hopefully you
will still be able to reproduce the problem.

the interesting log message will come from line 411 of
BasePolicyWrapper.java

if (logger.isLoggable(Level.FINE)) {
           logger.fine("Domain that failed(" + domain2 + ")");
}

if setting the security logger to FINE, is too intrusive, and you think
you can change the isLoggable call to check for Level.INFO, rebuild the
provider, and replace the corresponding module, you might want to give
that a try.

In any event, please let me know if you are able to make any progress
with either of the above approaches.
If you get the failure, and can show me the protection domain, and the
associated granted.policy file, I may be
able to see what is going wrong.

Ron

ps; Stevio as in passo de Stelvio?

>
>
> Thanks.
>
>
>
>
>
> VD
>