Thanks for the reply, this is interesting. I don’t normally use app server specific deployment descriptors in the applications.
As I’ve been working though this I did find that, initially when I setup the application the RBAC part where not in place. I used the default user / pass and principle mapping and a file realm in to get started. It seems I can’t undo that. I remove the settings under server-config->security, save, and they are still there when I restart.
When I created a new domain and entered the realm, without ever having used the default principal/password/role-mapping is works fine.
It is odd, I’ve never had that happen before.
From: William [mailto:streetpoet_at_163.com]
Sent: Tuesday, March 03, 2015 6:15 AM
To: cprince_at_computer.org
Cc: users_at_glassfish.java.net
Subject: Re: [gf-users] help diagnosing authorization issue GF 4.1 b-13 or maybe b-12?
Hi Chris,
please check your configuration before do a hard research on JAAS since I had use latest glassifish and it’s no issue here.
In your glassfish-web.xml configuration, there is a security-role-mapping element.
you should map your group name and role name like:
<security-role-mapping>
<role-name>admin-role</role-name>
<group-name>admin-group</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user-role</role-name>
<group-name>user-group</group-name>
</security-role-mapping>
After adding this mapping, you can add security role in your web.xml like:
<security-role>
<role-name>admin-role</role-name>
</security-role>
<security-role>
<role-name>user-role</role-name>
</security-role>
It seems the system just accept security role(not group) in your web.xml, so it’s necessary to add mapping in glassfish-web.xml.
From your mail, you can make sure you get the groups, but you are not sure if the retrieved groups map to correct role which setting in web.xml.
by the way, I not sure if it can resolve your issue, but you can just trying.
Best Regards
William
2015/3/3
On Mar 2, 2015, at 4:51 AM, Chris Prince <cprince_at_computer.org <mailto:cprince_at_computer.org> > wrote:
I have an odd issue with my application that I am trying to diagnose. It is using a JDBC Realm that pulls from database views. I’ve used similar configurations for years on dozens of systems.
The problem that occurs is that users authenticated, but are not authorized. I assumed, of course, I had some settings incorrect in the realm, however turning logging up to finest as well as debugging the JDBCRealm source shows that the groups are in fact being loaded. ie. when commitAuthentication(..) is called the grpList is contains all assigned roles (and matches roles in application.xml)
The only way so far that I can get groups assigned to a logged in user is with the “Assign Groups” field in the realm.
I could use some guidance on a couple things:
Which tag has the b-13 source code. I was only able to find a 4.1 b-12
If I was try tracing the issue from the web authorization what is a good class to start with and where can I find it.
Thanks
Chris