webtier@glassfish.java.net

INFO: JACC Policy Provider: Failed Permission Check, context(SportQuest/Spo

From: <webtier_at_javadesktop.org>
Date: Tue, 01 Jun 2010 12:10:18 PDT

Hi, I'm using a servlet filter developed by Jan Luehe to switch from https-http
for non sensitive pages. I know that there's a lot of people who don't reckon that
it's a good idea to do this, however my perspective is that I don't see why every
page in a session should have the overhead of https when you only switched
to SSL in the first place because of the login page.

Anyway, the filter logic is "if we're using SSL and the requested resource isn't
represented by a confidential transport guarantee in web.xml then use http".

It works fine although I get the error as shown in the subject line every time the
filter code calls Policy.implies(). From the documentation it's possible that
impies() is calling SecurityManager.checkPermission which is throwing a
SecurityException.

The code which determines if the resource is supposed to use SSL looks like
this:

[code]
private static final CodeSource cs =
    new CodeSource(null, (java.security.cert.Certificate[]) null);

private static final ProtectionDomain pd =
    new ProtectionDomain(cs, null, null, null);

private static final Policy policy = Policy.getPolicy();

Permission p = new WebUserDataPermission(httpReq);
p = new WebUserDataPermission(p.getName(), httpReq.getMethod());
**boolean isTransportProtected = policy.implies(pd, p) ? false : true;
[/code]

**causes the server log entry

web.xml:

[code]
<security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Pages</web-resource-name>
                <url-pattern>/faces/login.xhtml</url-pattern>
            </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
[code]

Does anyone know what configuration I'm missing to get rid of the error message
or if there's a simpler way to lookup the transport-guarantee resource setting in
web.xml? I have set the security log level to WARN which gets rid of the log
message but I'd like to try to solve the problem properly.

Thanks.
[Message sent by forum member 'healeyb']

http://forums.java.net/jive/thread.jspa?messageID=472312
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.