glassfish
  1. glassfish
  2. GLASSFISH-180

Deploy tool should gen warning when app declares roles but does not contain Sun dep. desc.

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 9.0pe
    • Fix Version/s: 9.0pe
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      180

      Description

      In an effort to get the Roller web log web application running on glassfish I
      created a new JDBC realm and specified in the web application to use it.
      Everything seems to work fine except that calls to the request.getUserPrincipal
      () from inside the web application return null even after logging in. The
      custom realm is invoked and works correctly, through a debugging session I can
      see that the subject's principals collection contains a Principal and two
      groups corresponding to the the web app's roles in the comit() method of
      AppservPasswordLoginModule. Setting the security logger to finest shows

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.container.web.pwc|_ThreadID=13;_ThreadName=httpWor
      kerThread-8080-
      3;ClassName=com.sun.enterprise.security.web.SingleSignOn;MethodName=invoke;_Requ
      estID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Process request
      for '/liberty/j_security_check'|#]

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.container.web.pwc|_ThreadID=13;_ThreadName=httpWor
      kerThread-8080-
      3;ClassName=com.sun.enterprise.security.web.SingleSignOn;MethodName=invoke;_Requ
      estID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| Checking for SSO cookie|#]

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.container.web.pwc|_ThreadID=13;_ThreadName=httpWor
      kerThread-8080-
      3;ClassName=com.sun.enterprise.security.web.SingleSignOn;MethodName=invoke;_Requ
      estID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| SSO cookie is not present|#]

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.container.web|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.web.security.RealmAdapter;MethodName=authenticate;_RequestID
      =99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Tomcat callback for authenticate
      user/password|#]

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.container.web|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.web.security.RealmAdapter;MethodName=authenticate;_RequestID
      =99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|usename = admin|#]

      [#|2006-01-22T14:16:28.875-0600|FINEST|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=login
      ;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Processing login with
      credentials of type: class
      com.sun.enterprise.security.auth.login.PasswordCredential|#]

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPas
      swordLogin;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Logging in user
      [admin] into realm: rollerRealm using JAAS module: jdbcRealm|#]

      [#|2006-01-22T14:16:28.875-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=initi
      alize;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Login module
      initialized: class com.onticrealms.glassfish.JDBCLoginModule|#]

      [#|2006-01-22T14:16:28.890-0600|INFO|sun-appserver-
      pe9.0|javax.enterprise.system.stream.out|_ThreadID=13;_ThreadName=httpWorkerThre
      ad-8080-3;|
      JDBCRealm login succeeded.|#]

      [#|2006-01-22T14:16:28.890-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=login
      ;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|JAAS login complete.|#]

      [#|2006-01-22T14:16:41.234-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=commi
      t;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|JAAS authentication
      committed.|#]

      [#|2006-01-22T14:17:42.250-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPas
      swordLogin;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Password login
      succeeded for : admin|#]

      [#|2006-01-22T14:17:43.046-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.enterprise.security.SecurityContext;MethodName=setCurrent;_R
      equestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|permission check done to set
      SecurityContext|#]

      [#|2006-01-22T14:17:44.625-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPas
      swordLogin;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Set security
      context as user: admin|#]

      [#|2006-01-22T14:18:07.453-0600|FINE|sun-appserver-
      pe9.0|javax.enterprise.system.container.web|_ThreadID=13;_ThreadName=httpWorkerT
      hread-8080-
      3;ClassName=com.sun.web.security.RealmAdapter;MethodName=authenticate;_RequestID
      =99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|Web login succeeded for: admin|#]

      However, when the request reaches the web application calling
      request.getUserPrincipal() is null.

      Here is the relevant portion of the web.xml

      ------------------------------------------------------------------------
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>EditorPages</web-resource-name>
      <description>Editor pages</description>
      <url-pattern>/editor/*</url-pattern>
      <url-pattern>/login-redirect.jsp</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      <description>Editors and Administrators only</description>
      <role-name>admin</role-name>
      <role-name>editor</role-name>
      </auth-constraint>
      </security-constraint>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>AdminPages</web-resource-name>
      <description>Administration pages</description>
      <url-pattern>/admin/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      <description>Administrators only</description>
      <role-name>admin</role-name>
      </auth-constraint>
      </security-constraint>

      <!-- Login and login error pages -->
      <login-config>
      <!-- RESIN_AUTHENTICATOR -->
      <auth-method>FORM</auth-method>
      <realm-name>rollerRealm</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginerror.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <description>The Administrator Role</description>
      <role-name>admin</role-name>
      </security-role>

      <security-role>
      <description>The Editor Role</description>
      <role-name>editor</role-name>
      </security-role>

      ------------------------------------------------------------------------

      Everything in the realm code seems to be working and since the subject's
      principal set is populated in the commit() method of the
      AppservPasswordLoginModule super class that principal should be available in
      the HttpServletRequest getUserPrincipal().

        Activity

        Hide
        aaronanderson added a comment -

        By debugging and setting only security logging to the finest I observed these
        lines

        [#|2006-01-22T17:01:41.625-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_
        RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security] Checking Web
        Permission with Principals : null|#]

        [#|2006-01-22T17:01:42.421-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_
        RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security] Web Permission =
        (javax.security.jacc.WebResourcePermission /login-redirect.jsp GET)|#]

        [#|2006-01-22T17:02:02.703-0600|FINEST|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImpl
        ies;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|JACC Policy Provider:
        PolicyWrapper.implies, context (MyBlog__myblog)- result was(false) permission
        ((javax.security.jacc.WebResourcePermission /login-redirect.jsp GET))|#]

        [#|2006-01-22T17:02:02.703-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermis
        sion;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security]
        hasResource isGranted: false|#]

        [#|2006-01-22T17:02:02.703-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermis
        sion;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security]
        hasResource perm: (javax.security.jacc.WebResourcePermission /login-
        redirect.jsp GET)|#]

        [#|2006-01-22T17:02:07.375-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=setPolicyContext;
        _RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security] Policy Context
        ID was: MyBlog__myblog|#]

        [#|2006-01-22T17:02:10.281-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_
        RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security] Codesource with
        Web URL: file:/MyBlog__myblog|#]

        [#|2006-01-22T17:02:10.500-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_
        RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security] Checking Web
        Permission with Principals : admin, admin, editor|#]

        [#|2006-01-22T17:02:10.968-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_
        RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security] Web Permission =
        (javax.security.jacc.WebResourcePermission /login-redirect.jsp GET)|#]

        [#|2006-01-22T17:16:11.453-0600|FINEST|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImpl
        ies;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|JACC Policy Provider:
        PolicyWrapper.implies, context (MyBlog__myblog)- result was(false) permission
        ((javax.security.jacc.WebResourcePermission /login-redirect.jsp GET))|#]

        [#|2006-01-22T17:16:11.453-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.enterprise.security.SecurityContext;MethodName=setCurrent;_R
        equestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|permission check done to set
        SecurityContext|#]

        [#|2006-01-22T17:16:14.734-0600|FINE|sun-appserver-
        pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT
        hread-8080-
        3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermis
        sion;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|[Web-Security]
        hasResource isGranted: false|#]

        I then tracked it down to the WebSecurityManager checkPermission(Permission
        perm, Set principalSet) that ends up invoking the PolicyWrapper class that
        delegates the check to the PolicyFile. The policy entry I added to the
        server.policy for the web app was

        -------------------------------------------------------
        // permissions for web LibertyBlog: file upload, log setting, etc :
        grant codeBase "file:$

        {com.sun.aas.instanceRoot}

        /applications/j2ee-
        modules/MyBlog/-"

        { permission java.security.AllPermission; }

        ;

        -------------------------------------------------------

        I do not see why the web security manager would check a
        sun.security.provider.PolicyFile instead of the web app descriptor that defines
        the roles.

        Show
        aaronanderson added a comment - By debugging and setting only security logging to the finest I observed these lines [#|2006-01-22T17:01:41.625-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_ RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] Checking Web Permission with Principals : null|#] [#|2006-01-22T17:01:42.421-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_ RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /login-redirect.jsp GET)|#] [#|2006-01-22T17:02:02.703-0600|FINEST|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImpl ies;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|JACC Policy Provider: PolicyWrapper.implies, context (MyBlog__myblog)- result was(false) permission ((javax.security.jacc.WebResourcePermission /login-redirect.jsp GET))|#] [#|2006-01-22T17:02:02.703-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermis sion;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] hasResource isGranted: false|#] [#|2006-01-22T17:02:02.703-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermis sion;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /login- redirect.jsp GET)|#] [#|2006-01-22T17:02:07.375-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=setPolicyContext; _RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] Policy Context ID was: MyBlog__myblog|#] [#|2006-01-22T17:02:10.281-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_ RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] Codesource with Web URL: file:/MyBlog__myblog |#] [#|2006-01-22T17:02:10.500-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_ RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] Checking Web Permission with Principals : admin, admin, editor|#] [#|2006-01-22T17:02:10.968-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_ RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /login-redirect.jsp GET)|#] [#|2006-01-22T17:16:11.453-0600|FINEST|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImpl ies;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|JACC Policy Provider: PolicyWrapper.implies, context (MyBlog__myblog)- result was(false) permission ((javax.security.jacc.WebResourcePermission /login-redirect.jsp GET))|#] [#|2006-01-22T17:16:11.453-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.enterprise.security.SecurityContext;MethodName=setCurrent;_R equestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;|permission check done to set SecurityContext|#] [#|2006-01-22T17:16:14.734-0600|FINE|sun-appserver- pe9.0|javax.enterprise.system.core.security|_ThreadID=13;_ThreadName=httpWorkerT hread-8080- 3;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermis sion;_RequestID=99e7bf0b-a1ba-41f0-ace9-bdc00db63577;| [Web-Security] hasResource isGranted: false|#] I then tracked it down to the WebSecurityManager checkPermission(Permission perm, Set principalSet) that ends up invoking the PolicyWrapper class that delegates the check to the PolicyFile. The policy entry I added to the server.policy for the web app was ------------------------------------------------------- // permissions for web LibertyBlog: file upload, log setting, etc : grant codeBase "file:$ {com.sun.aas.instanceRoot} /applications/j2ee- modules/MyBlog/-" { permission java.security.AllPermission; } ; ------------------------------------------------------- I do not see why the web security manager would check a sun.security.provider.PolicyFile instead of the web app descriptor that defines the roles.
        Hide
        aaronanderson added a comment -

        Looks like when I deployed the app the granted.policy file did not contain the
        principals/roles from the web.xml descriptor. The contents of
        $

        {com.sun.aas.instanceRoot}

        /generated/policy/MyBlog__myblog/granted.policy are:

        -------------------------------------------------------------------------------
        /* AUTOMATICALLY GENERATED ON Sun Jan 22 12:26:22 CST 2006*/
        /* DO NOT EDIT */

        grant

        { permission javax.security.jacc.WebUserDataPermission "/admin/*"; permission javax.security.jacc.WebUserDataPermission "/login-redirect.jsp"; permission javax.security.jacc.WebUserDataPermission "/:/login- redirect.jsp:/editor/*:/admin/*"; permission javax.security.jacc.WebUserDataPermission "/editor/*"; permission javax.security.jacc.WebResourcePermission "/login- redirect.jsp", "DELETE,HEAD,OPTIONS,PUT,TRACE"; permission javax.security.jacc.WebResourcePermission "/editor/*", "DELETE,HEAD,OPTIONS,PUT, TRACE"; permission javax.security.jacc.WebResourcePermission "/:/login- redirect.jsp:/editor/*:/admin/*"; permission javax.security.jacc.WebResourcePermission "/admin/*", "DELETE,HEAD,OPTIONS,PUT,T RACE"; }

        ;
        ------------------------------------------------------------------------------

        While it contains the references to the protected resource in the app it does
        not contain any references to the roles defined in the web app, like the
        admingui generated policy file does.

        Show
        aaronanderson added a comment - Looks like when I deployed the app the granted.policy file did not contain the principals/roles from the web.xml descriptor. The contents of $ {com.sun.aas.instanceRoot} /generated/policy/MyBlog__myblog/granted.policy are: ------------------------------------------------------------------------------- /* AUTOMATICALLY GENERATED ON Sun Jan 22 12:26:22 CST 2006*/ /* DO NOT EDIT */ grant { permission javax.security.jacc.WebUserDataPermission "/admin/*"; permission javax.security.jacc.WebUserDataPermission "/login-redirect.jsp"; permission javax.security.jacc.WebUserDataPermission "/:/login- redirect.jsp:/editor/*:/admin/*"; permission javax.security.jacc.WebUserDataPermission "/editor/*"; permission javax.security.jacc.WebResourcePermission "/login- redirect.jsp", "DELETE,HEAD,OPTIONS,PUT,TRACE"; permission javax.security.jacc.WebResourcePermission "/editor/*", "DELETE,HEAD,OPTIONS,PUT, TRACE"; permission javax.security.jacc.WebResourcePermission "/:/login- redirect.jsp:/editor/*:/admin/*"; permission javax.security.jacc.WebResourcePermission "/admin/*", "DELETE,HEAD,OPTIONS,PUT,T RACE"; } ; ------------------------------------------------------------------------------ While it contains the references to the protected resource in the app it does not contain any references to the roles defined in the web app, like the admingui generated policy file does.
        Hide
        aaronanderson added a comment -

        It turns out I needed to add a sun-web.xml with the following contents:

        ----------------------------------------------------------------------------
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD
        Application Server 9.0 Servlet 2.5//EN'
        'http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd'>

        <sun-web-app>
        <security-role-mapping>
        <role-name>admin</role-name>
        <group-name>admin</group-name>
        </security-role-mapping>
        <security-role-mapping>
        <role-name>editor</role-name>
        <group-name>editor</group-name>
        </security-role-mapping>
        </sun-web-app>
        ---------------------------------------------------------------------

        While it is now quite obvious that this missing descriptor was the cause of the
        problem the asadmin deploy command reported that the web application was
        deployed successfully, even though the web app that was deployed was not
        completely functional. Since it seems that if a web-app declares any roles it
        must have a sun-web.xml this check should be built into the deployment process.

        Show
        aaronanderson added a comment - It turns out I needed to add a sun-web.xml with the following contents: ---------------------------------------------------------------------------- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN' 'http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd'> <sun-web-app> <security-role-mapping> <role-name>admin</role-name> <group-name>admin</group-name> </security-role-mapping> <security-role-mapping> <role-name>editor</role-name> <group-name>editor</group-name> </security-role-mapping> </sun-web-app> --------------------------------------------------------------------- While it is now quite obvious that this missing descriptor was the cause of the problem the asadmin deploy command reported that the web application was deployed successfully, even though the web app that was deployed was not completely functional. Since it seems that if a web-app declares any roles it must have a sun-web.xml this check should be built into the deployment process.
        Hide
        aaronanderson added a comment -

        changed type and summary to accurately reflect type of defect

        Show
        aaronanderson added a comment - changed type and summary to accurately reflect type of defect
        Hide
        qouyang added a comment -

        I am transferring the issue to the security area. The proper logging in this
        case should happen in the security logic. Deployment does not interpret the
        realm information in this case.

        Show
        qouyang added a comment - I am transferring the issue to the security area. The proper logging in this case should happen in the security logic. Deployment does not interpret the realm information in this case.
        Hide
        Shing Wai Chan added a comment -

        reassign

        Show
        Shing Wai Chan added a comment - reassign
        Hide
        raharsha added a comment -

        warnings are being logged as of GlassFish v2 on deployment. Eg,

        [#|2007-11-16T13:59:17.525+0530|WARNING|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_Thr
        eadName=Thread-30;_RequestID=a676cf75-0887-4348-9d41-2fdb731e0fca;|No Principals
        mapped to Role [editor].|#]

        [#|2007-11-16T13:59:17.525+0530|WARNING|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_Thr
        eadName=Thread-30;_RequestID=a676cf75-0887-4348-9d41-2fdb731e0fca;|No Principals
        mapped to Role [admin].|#]

        Show
        raharsha added a comment - warnings are being logged as of GlassFish v2 on deployment. Eg, [#|2007-11-16T13:59:17.525+0530|WARNING|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_Thr eadName=Thread-30;_RequestID=a676cf75-0887-4348-9d41-2fdb731e0fca;|No Principals mapped to Role [editor] .|#] [#|2007-11-16T13:59:17.525+0530|WARNING|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_Thr eadName=Thread-30;_RequestID=a676cf75-0887-4348-9d41-2fdb731e0fca;|No Principals mapped to Role [admin] .|#]

          People

          • Assignee:
            raharsha
            Reporter:
            aaronanderson
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: