users@glassfish.java.net

[gf-users] Re: help diagnosing authorization issue GF 4.1 b-13 or maybe b-12?

From: William <streetpoet_at_163.com>
Date: Tue, 3 Mar 2015 22:15:13 +0800

Hi Chris,

        please check your configuration before do a hard research on JAAS since I had use latest glassifish and it’s no issue here.
In your glassfish-web.xml configuration, there is a security-role-mapping element.
you should map your group name and role name like:

                <security-role-mapping>
                                <role-name>admin-role</role-name>
                                <group-name>admin-group</group-name>
                </security-role-mapping>
                <security-role-mapping>
                                <role-name>user-role</role-name>
                                <group-name>user-group</group-name>
                </security-role-mapping>

After adding this mapping, you can add security role in your web.xml like:

                <security-role>
                                <role-name>admin-role</role-name>
                </security-role>
                <security-role>
                                <role-name>user-role</role-name>
                </security-role>

It seems the system just accept security role(not group) in your web.xml, so it’s necessary to add mapping in glassfish-web.xml.
From your mail, you can make sure you get the groups, but you are not sure if the retrieved groups map to correct role which setting in web.xml.

by the way, I not sure if it can resolve your issue, but you can just trying.

Best Regards
William
2015/3/3

> On Mar 2, 2015, at 4:51 AM, Chris Prince <cprince_at_computer.org> wrote:
>
> I have an odd issue with my application that I am trying to diagnose. It is using a JDBC Realm that pulls from database views. I’ve used similar configurations for years on dozens of systems.
>
> The problem that occurs is that users authenticated, but are not authorized. I assumed, of course, I had some settings incorrect in the realm, however turning logging up to finest as well as debugging the JDBCRealm source shows that the groups are in fact being loaded. ie. when commitAuthentication(..) is called the grpList is contains all assigned roles (and matches roles in application.xml)
>
> The only way so far that I can get groups assigned to a logged in user is with the “Assign Groups” field in the realm.
>
>
> I could use some guidance on a couple things:
> Which tag has the b-13 source code. I was only able to find a 4.1 b-12
> If I was try tracing the issue from the web authorization what is a good class to start with and where can I find it.
>
>
> Thanks
> Chris
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.