glassfish
  1. glassfish
  2. GLASSFISH-19064

Glassfish unreasonably denies access to JSF page with HTTP 403, restarting the domain fixes the problem

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.2
    • Fix Version/s: future release
    • Component/s: security
    • Labels:
      None
    • Environment:

      Tested on Ubuntu 12.04 x86 and Debian 6 x64.

      Description

      I've got an @Startup EJB (named EJB1) which connects to an HBase database using a library in its @PostConstruct method. The library itself takes advantage of HBase's Java API. This EJB is injected into another EJB (named EJB2) of which its local interface (EJB2Local) is injected into web-module beans, including an EJB which creates a web service and a managed bean which is tied to the index.xhtml JSF page.

      This is how I reproduce and fix the problem:
      1. Create and start a clean Glassfish domain.
      2. Deploy the ear archive.
      3. Glassfish denies access to index.xhtml with an HTTP 403 error. Other parts of the application, including the web services inside the web module, work flawlessly. The following lines get inserted into server.log upon each request for index.xhtml. Starting the domain in --verbose mode does not produce more messages at this point.

      INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET") ")
      INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET:CONFIDENTIAL") ")
      INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "/favicon.ico" "GET") ")
      INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "/favicon.ico" "GET:CONFIDENTIAL") ")

      4. Without undeploying the application, restart the domain and let the pre-deployed application start automatically.
      5. index.xhtml loads without problems.
      6. Undeploying/deploying the ear file does not reproduce the problem. To see the 403 error again, one has to create a new domain.

        Activity

        Hide
        james.falkner added a comment -

        We are also seeing this with recent builds of Liferay on JDK 6 and 7.

        [#|2013-08-15T21:09:50.938+0000|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=238;_ThreadName=http-thread-pool-8080(5);|JACC Policy Provider:Failed Permission Check: context (" liferay-portal/liferay-portal ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET") ") |#]
        
        [#|2013-08-15T21:09:50.938+0000|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=238;_ThreadName=http-thread-pool-8080(5);|JACC Policy Provider:Failed Permission Check: context (" liferay-portal/liferay-portal ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET:CONFIDENTIAL") ") |#]
        
        Show
        james.falkner added a comment - We are also seeing this with recent builds of Liferay on JDK 6 and 7. [#|2013-08-15T21:09:50.938+0000|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=238;_ThreadName=http-thread-pool-8080(5);|JACC Policy Provider:Failed Permission Check: context (" liferay-portal/liferay-portal ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET") ") |#] [#|2013-08-15T21:09:50.938+0000|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=238;_ThreadName=http-thread-pool-8080(5);|JACC Policy Provider:Failed Permission Check: context (" liferay-portal/liferay-portal ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET:CONFIDENTIAL") ") |#]
        Hide
        Shing Wai Chan added a comment -

        Change to security component.

        Show
        Shing Wai Chan added a comment - Change to security component.
        Hide
        Shing Wai Chan added a comment -

        403 means there is no permission is granted for a given page.
        Please provide an app to illustrate this issue.

        Show
        Shing Wai Chan added a comment - 403 means there is no permission is granted for a given page. Please provide an app to illustrate this issue.
        Hide
        Hong Zhang added a comment -

        A reproducible use case will help us to understand the problem better.

        Assign to web team to take initial look to see if the permission file needs to be fixed somehow for this use case, and reassign to appropriate category (security?) as needed.

        Show
        Hong Zhang added a comment - A reproducible use case will help us to understand the problem better. Assign to web team to take initial look to see if the permission file needs to be fixed somehow for this use case, and reassign to appropriate category (security?) as needed.
        Hide
        shreedhar_ganapathy added a comment -

        -> Hong - please eval this and if it belongs elsewhere, please reassign.

        Show
        shreedhar_ganapathy added a comment - -> Hong - please eval this and if it belongs elsewhere, please reassign.

          People

          • Assignee:
            JeffTancill
            Reporter:
            arash1988
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: