Issue Details (XML | Word | Printable)

Key: GLASSFISH-19064
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: JeffTancill
Reporter: arash1988
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
glassfish

Glassfish unreasonably denies access to JSF page with HTTP 403, restarting the domain fixes the problem

Created: 07/Sep/12 07:09 AM   Updated: 15/Aug/13 09:11 PM
Component/s: security
Affects Version/s: 3.1.2
Fix Version/s: 4.0.1

Time Tracking:
Not Specified

Environment:

Tested on Ubuntu 12.04 x86 and Debian 6 x64.


Tags:
Participants: arash1988, Hong Zhang, james.falkner, JeffTancill, Shing Wai Chan and shreedhar_ganapathy


 Description  « Hide

I've got an @Startup EJB (named EJB1) which connects to an HBase database using a library in its @PostConstruct method. The library itself takes advantage of HBase's Java API. This EJB is injected into another EJB (named EJB2) of which its local interface (EJB2Local) is injected into web-module beans, including an EJB which creates a web service and a managed bean which is tied to the index.xhtml JSF page.

This is how I reproduce and fix the problem:
1. Create and start a clean Glassfish domain.
2. Deploy the ear archive.
3. Glassfish denies access to index.xhtml with an HTTP 403 error. Other parts of the application, including the web services inside the web module, work flawlessly. The following lines get inserted into server.log upon each request for index.xhtml. Starting the domain in --verbose mode does not produce more messages at this point.

INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET") ")
INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET:CONFIDENTIAL") ")
INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "/favicon.ico" "GET") ")
INFO: JACC Policy Provider:Failed Permission Check: context (" App/App-war_war ") , permission (" ("javax.security.jacc.WebUserDataPermission" "/favicon.ico" "GET:CONFIDENTIAL") ")

4. Without undeploying the application, restart the domain and let the pre-deployed application start automatically.
5. index.xhtml loads without problems.
6. Undeploying/deploying the ear file does not reproduce the problem. To see the 403 error again, one has to create a new domain.



shreedhar_ganapathy added a comment - 13/Dec/12 07:53 PM

-> Hong - please eval this and if it belongs elsewhere, please reassign.


Hong Zhang added a comment - 13/Dec/12 08:35 PM

A reproducible use case will help us to understand the problem better.

Assign to web team to take initial look to see if the permission file needs to be fixed somehow for this use case, and reassign to appropriate category (security?) as needed.


Shing Wai Chan added a comment - 13/Dec/12 09:42 PM

403 means there is no permission is granted for a given page.
Please provide an app to illustrate this issue.


Shing Wai Chan added a comment - 17/Jan/13 11:52 PM

Change to security component.


james.falkner added a comment - 15/Aug/13 09:11 PM

We are also seeing this with recent builds of Liferay on JDK 6 and 7.

[#|2013-08-15T21:09:50.938+0000|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=238;_ThreadName=http-thread-pool-8080(5);|JACC Policy Provider:Failed Permission Check: context (" liferay-portal/liferay-portal ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET") ") |#]

[#|2013-08-15T21:09:50.938+0000|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=238;_ThreadName=http-thread-pool-8080(5);|JACC Policy Provider:Failed Permission Check: context (" liferay-portal/liferay-portal ") , permission (" ("javax.security.jacc.WebUserDataPermission" "" "GET:CONFIDENTIAL") ") |#]