I am still have the problem.
The identity assertion thing did not help finally.
The problem is only occuring in our QC enviroment, so it is not easy to debug.
I have added many logs and finally I was able to get an interesting log.
Our problem is that sometime the check for access to a ressource for one user is apparently done using the wrong user.
Now this log show a user "p2wstest" logging to access a web service and our login module adding groups for another user !
The problem is really intermittent. I have synchronized authenticateUser but it did not helped.
I am still looking at how our LoginModule could use the wrong name.
Our login module is simply extending AppservPasswordLoginModule and using the "_username" member.
Is a login module created for each user login ?
I will add more logs to see if the _username variable can change in one instance of the loginModule while executing
authenticateUser().
Feb 12, 2010 9:12:59 AM com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler processPasswordValidation
FINE: JMAC: In PasswordValidationCallback Processor
Feb 12, 2010 9:12:59 AM com.sun.enterprise.security.auth.login.LoginContextDriver jmacLogin
FINE: jmac login user [p2wstest] into realm: StelvioJDBCRealm using JAAS module: StelvioJDBCRealm
Feb 12, 2010 9:12:59 AM com.sun.appserv.security.AppservPasswordLoginModule initialize
FINE: Login module initialized: class com.stelvio.security.authentication.StelvioLoginModule
Feb 12, 2010 9:12:59 AM com.stelvio.security.authentication.StelvioLoginModule
INFO: Stelvio Login module: Calling commitUserAuthentication user: mtlp2 groups: GCRassessorAllocation|GCRcostcontrol|GCRpublic|
Feb 12, 2010 9:12:59 AM com.sun.appserv.security.AppservPasswordLoginModule login
FINE: JAAS login complete.
Feb 12, 2010 9:12:59 AM com.sun.appserv.security.AppservPasswordLoginModule commit
FINE: JAAS authentication committed.
Feb 12, 2010 9:12:59 AM com.sun.enterprise.security.auth.login.LoginContextDriver jmacLogin
FINE: jmac Password login succeeded for : p2wstest
Feb 12, 2010 9:12:59 AM com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler processPasswordValidation
FINE: JMAC: authentication succeeded for user =
Feb 12, 2010 9:12:59 AM com.sun.enterprise.security.provider.BasePolicyWrapper doImplies
FINE: JACC Policy Provider, failed Permission Check at :
java.lang.Exception
at com.sun.enterprise.security.provider.BasePolicyWrapper.doImplies(BasePolicyWrapper.java:404)
at com.sun.enterprise.security.provider.BasePolicyWrapper.implies(BasePolicyWrapper.java:246)
at org.glassfish.ejb.security.application.EJBSecurityManager.authorize(EJBSecurityManager.java:712)
at com.sun.ejb.containers.BaseContainer.authorize(BaseContainer.java:2249)
at com.sun.ejb.EjbInvocation.authorizeWebService(EjbInvocation.java:639)
...
at java.lang.Thread.run(Thread.java:619)
Feb 12, 2010 9:12:59 AM javax.enterprise.system.core.security
INFO: JACC Policy Provider: Failed Permission Check, context(AllianzAssessment/EJB_jar)-
permission((javax.security.jacc.EJBMethodPermission LocatorWS
locateRepairer,ServiceEndpoint,com.stelvio.WebService.locator.LocateRepairerRqx))
Feb 12, 2010 9:12:59 AM com.sun.enterprise.security.provider.BasePolicyWrapper$2 run
FINE: Domain that failed(ProtectionDomain (file:/AllianzAssessment/EJB_jar <no signer certificates>)
null
(principals org.glassfish.security.common.PrincipalImpl "mtlp2",
org.glassfish.security.common.Group "GCRassessorAllocation",
org.glassfish.security.common.Group "GCRcostcontrol",
org.glassfish.security.common.Group "GCRpublic",
org.glassfish.security.common.PrincipalImpl "p2wstest")
java.security.Permissions_at_bb7bb4 (
(java.net.SocketPermission localhost:1024- listen,resolve)
(java.net.SocketPermission * connect,resolve)
...
VD