The project is not using any application server specific deployment
descriptors. Configuration is only done using the admin console and the
standard deployment descriptors.
From: Martin Gainty [mailto:mgainty_at_hotmail.com]
Sent: Wednesday, March 04, 2015 5:11 AM
To: cprince_at_computer.org; 'William'
Cc: users_at_glassfish.java.net
Subject: RE: [gf-users] Re: help diagnosing authorization issue GF 4.1 b-13
or maybe b-12?
_____
From: cprince_at_computer.org <mailto:cprince_at_computer.org>
To: streetpoet_at_163.com <mailto:streetpoet_at_163.com>
CC: users_at_glassfish.java.net <mailto:users_at_glassfish.java.net>
Date: Wed, 4 Mar 2015 00:13:40 -0800
Subject: [gf-users] Re: help diagnosing authorization issue GF 4.1 b-13 or
maybe b-12?
Thanks for the reply, this is interesting. I don't normally use app server
specific deployment descriptors in the applications.
As I've been working though this I did find that, initially when I setup the
application the RBAC part where not in place. I used the default user /
pass and principle mapping and a file realm in to get started. It seems I
can't undo that. I remove the settings under server-config->security, save,
and they are still there when I restart.
MG>Application scoped resources can be stored in glassfish-resources.xml
files which need to go into the META-INF dir for an EAR
MG>and in WEB-INF for a WAR.
MG>curious ..did you clean glassfish-resources.xml files from META-INF and
WEB-INF folders?
When I created a new domain and entered the realm, without ever having used
the default principal/password/role-mapping is works fine.
It is odd, I've never had that happen before.
From: William [mailto:streetpoet_at_163.com]
Sent: Tuesday, March 03, 2015 6:15 AM
To: cprince_at_computer.org <mailto:cprince_at_computer.org>
Cc: users_at_glassfish.java.net <mailto:users_at_glassfish.java.net>
Subject: Re: [gf-users] help diagnosing authorization issue GF 4.1 b-13 or
maybe b-12?
Hi Chris,
please check your configuration before do a hard research on
JAAS since I had use latest glassifish and it's no issue here.
In your glassfish-web.xml configuration, there is a security-role-mapping
element.
you should map your group name and role name like:
<security-role-mapping>
<role-name>admin-role</role-name>
<group-name>admin-group</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user-role</role-name>
<group-name>user-group</group-name>
</security-role-mapping>
After adding this mapping, you can add security role in your web.xml like:
<security-role>
<role-name>admin-role</role-name>
</security-role>
<security-role>
<role-name>user-role</role-name>
</security-role>
It seems the system just accept security role(not group) in your web.xml, so
it's necessary to add mapping in glassfish-web.xml.
From your mail, you can make sure you get the groups, but you are not sure
if the retrieved groups map to correct role which setting in web.xml.
by the way, I not sure if it can resolve your issue, but you can just
trying.
Best Regards
William
2015/3/3
On Mar 2, 2015, at 4:51 AM, Chris Prince <cprince_at_computer.org
<mailto:cprince_at_computer.org> > wrote:
I have an odd issue with my application that I am trying to diagnose. It is
using a JDBC Realm that pulls from database views. I've used similar
configurations for years on dozens of systems.
The problem that occurs is that users authenticated, but are not authorized.
I assumed, of course, I had some settings incorrect in the realm, however
turning logging up to finest as well as debugging the JDBCRealm source shows
that the groups are in fact being loaded. ie. when commitAuthentication(..)
is called the grpList is contains all assigned roles (and matches roles in
application.xml)
The only way so far that I can get groups assigned to a logged in user is
with the "Assign Groups" field in the realm.
I could use some guidance on a couple things:
Which tag has the b-13 source code. I was only able to find a 4.1 b-12
If I was try tracing the issue from the web authorization what is a good
class to start with and where can I find it.
Thanks
Chris