Issue Details (XML | Word | Printable)

Key: GLASSFISH-17107
Type: Bug Bug
Status: Open Open
Priority: Critical Critical
Assignee: prasads
Reporter: paal
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
glassfish

LDAP authentication gets replaced by File authentication as a side-effect of bootAMX

Created: 26/Jul/11 09:37 AM   Updated: 06/Jan/12 04:38 AM
Component/s: amx
Affects Version/s: 9.0pe, 3.1.1_b10
Fix Version/s: None

Time Tracking:
Not Specified

Environment:

Windows 7


Tags: 3_1_1-next 3_1_1-scrubbed 3_1_2-exclude
Participants: kumarjayanti, paal and prasads


 Description  « Hide

We have an enterprise application consisting of several parts where access is restricted to users holding specific roles. The server-config's default realm is an LDAPRealm. One of our EJBs uses AMX to retrieve details about available connection pools. To make sure AMX is available, the EJB invokes bootAMX the first time this information is requested:

final MBeanServer mBeanServer = java.lang.management.ManagementFactory.getPlatformMBeanServer();
...
final ObjectName jdbcPoolObjName = new ObjectName("amx:type=jdbc-connection-pool,*");
Set<ObjectName> connectionPoolNames = mBeanServer.queryNames(jdbcPoolObjName, null);
if (connectionPoolNames.isEmpty()) {
mBeanServer.invoke(new ObjectName("amx-support:type=boot-amx"), "bootAMX", new Object[0], new String[0]);
...

This works fine for the first request, but any following requests are rejected with authentication failure. From the server.log I can see that File authentication is attempted for these requests:

...
Caused by: javax.security.auth.login.LoginException: Failed file login for user1.
at com.sun.enterprise.security.auth.login.FileLoginModule.authenticate(FileLoginModule.java:84)
...

This is also the case for attempts to access other part of our application. The same problem occurs if AMX is booted by other means, e.g. by making a connection to the Admin Service with JConsole. It looks like the AMX boot process has a side-effect that makes GlassFish ignore its default realm.

However, if I log in to the GlassFish Admin Console after booting AMX, the situation goes back to normal. The server.log output from this is (I use the default settings for logging):

[#|2011-07-26T08:42:39.492+0200|INFO|glassfish3.1.1|com.sun.jersey.server.impl.application.WebApplicationImpl|_ThreadID=26;_ThreadName=Thread-2;|Initiating Jersey application, version 'Jersey: 1.8 06/24/2011 12:17 PM'|#]

Somehow, this has a side-effect that brings the default realm back into play.

(The problem was discovered when migrating the application from GlassFish version 2. It has been reproduced with both b10 and b13 of the 3.1.1 version.)



prasads added a comment - 06/Jan/12 04:38 AM

Excluding from 3.1.2


paal added a comment - 26/Jul/11 02:21 PM

I have tried to switch to LDAPRealm for authentication of GlassFish admin user, by redefining the server-config's 'admin-realm' as an LDAPRealm, adding a group named 'asadmin' in OpenDS, and adding a user 'admin2' as member of the 'asadmin' group. This works fine for login as 'admin2' in the GlassFish Admin Console, but booting AMX still switches things to File authentication.

However, if I also define the default-config's 'admin-realm' as an LDAPRealm, and remove all FileRealms and CertificateRealms from both server-config and default-config, the problem finally disappears. I have confirmed that the presence of another type of realm (DataSourceRealm, our own custom realm) does not cause similar problems.


kumarjayanti added a comment - 26/Jul/11 12:08 PM

I do believe this is an issue and i had filed a similar issue on AMX earlier though it is not resolved yet. I think that bug became irrelevant because Admin GUI no longer uses AMX.

http://java.net/jira/browse/GLASSFISH-12842

Assigning to AMX team.