GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted
I think it's because admin-realm admin is automatically authenticated and when I try to access a restricted page, it checks the authenticated user and since it's admin and it has authorization to the page, the the page is accessible and does not prompt to login.
These still appear when I run the application and not trying to login to admin console of glass fish
Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin
Also these
(unresolved javax.security.jacc.WebUserDataPermission /security/* null)
(unresolved javax.security.jacc.WebUserDataPermission /:/security/* null)
(unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
(unresolved javax.security.jacc.WebResourcePermission /:/security/* null)
(unresolved javax.security.jacc.WebResourcePermission /security/* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
(unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
I tried using <url-pattern>/*</url-pattern> instead of <url-pattern>/security/*</url-pattern>
and interestingly this is what I got in the trace.
Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [employee] into realm: emsSecurity using JAAS module: jdbcRealm
Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
JDBC login succeeded for: employee groups:[Ljava.lang.String;@16bfca4
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : employee
permission check done to set SecurityContext
Set security context as user: employee
and it goes to a access denied page.
'HTTP Status 403 - Access to the requested resource has been denied'
I don't understand how glassfish authenticates the user employee without the user submitting the login credentials. It even says 'Password login succeeded for : employee'. Please help me solve this problem
[Message sent by forum member 'cadii' (vishanka18_at_yahoo.com)]
http://forums.java.net/jive/thread.jspa?messageID=390626