Login not triggered for restricted page in glassfish jdbcrealm authentication

security authentication jakarta-ee glassfish jdbcrealm
cadii picture cadii · Mar 6, 2010 · Viewed 7.3k times · Source

I'm very new to EJB security and GlassFish authentication, authorization mechanism. I have a jdbc realm and configured sun-web.xml and web.xml to map the roles and restrict access to a page.

However, my problem is that when I restrict access to all the pages, it works and triggers the login pop up before loading the welcome page (using BASIC authentication).

<web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
  <description/>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
</web-resource-collection>

but when I restrict access to a page in a folder security, GlassFish does not prompt the login and redirects the user to the restricted page.

<web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
  <description/>
  <url-pattern>/security/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
</web-resource-collection>`

Please help me solve this problem.. Thanks a lot in advance.

I also found these entries after I turned on security manager

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule File login succeeded for: admin JAAS login complete. JAAS authentication committed. Password login succeeded for : admin permission check done to set SecurityContext Set security context as user: admin

[Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /faces/security/UserRedirect.jsp GET)

it seems like admin principal in admin-realm is automatically authenticated and used for my application rather than using my jdbcrealm. Any thoughts on how to fix this?

Update

I'm sorry I just changed the authentication to form to check. I changed it back to BASIC again. And yes I have the jdbcrealm name as the default realm.

Your right.. it's exactly that

GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted

I think it's because admin-realm admin is automatically authenticated and when I try to access a restricted page, it checks the authenticated user and since it's admin and it has authorization to the page, the the page is accessible and does not prompt to login.

These still appear when I run the application and not trying to login to admin console of glass fish

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin

Also these 

(unresolved javax.security.jacc.WebUserDataPermission /security/* null)
 (unresolved javax.security.jacc.WebUserDataPermission /:/security/* null)
 (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
 (unresolved javax.security.jacc.WebResourcePermission /:/security/* null)
 (unresolved javax.security.jacc.WebResourcePermission /security/* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
 (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)

Update 2

I tried using <url-pattern>/*</url-pattern> instead of <url-pattern>/security/*</url-pattern>

and interestingly this is what I got in the trace.

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [employee] into realm: emsSecurity using JAAS module: jdbcRealm
Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
JDBC login succeeded for: employee groups:[Ljava.lang.String;@16bfca4
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : employee
permission check done to set SecurityContext
Set security context as user: employee

and it goes to a access denied page.

'HTTP Status 403 - Access to the requested resource has been denied'

I don't understand how glassfish authenticates the user employee without the user submitting the login credentials. It even says 'Password login succeeded for : employee'. Please help me solve this problem.

Fist of all thank you very much for your efforts. I'm still stuck with the problem. I'm posting here the xml files.

sun-web.xml

<security-role-mapping>
<role-name>Employee</role-name>
<group-name>Employee</group-name>

web.xml

    <security-constraint>
    <display-name>Login Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>User Redirect page</web-resource-name>
        <description/>
        <url-pattern>/security/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>Employee</role-name>
        </auth-constraint>
    </security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>deliverySecurity</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/index.jsp</form-error-page>
        </form-login-config>
    </login-config>
<security-role>
    <description/>
    <role-name>Employee</role-name>
</security-role>

Also there is no stack trace. No exception.. The user is just redirected to the secured page as if there is no authentication requirements. This is a jsf visual web development project using Netbeans 6.5.1 and Glassfish v2. Thanks a lot.

Answer

Andr&#233; picture André · Jun 16, 2011

Try to add "/faces" to the url pattern. For example: /faces/security/*

Related questions

Adding custom context information to EJB method calls

I want to pass authentication information to EJB stateless session beans when calling their methods from a Java web application (Wicket). The information consists of a user id and an authentication type (remember cookie or user/password) and is stored …

Read More
How to implement authentication mechanism in Java EE 6

I'm trying to learn Java EE 6 and i'm just wondering how to implement authentication mechanism in Java EE 6. Here is the Java EE 6 authentiction example: public void login() { if (account.authenticate(name, password) == null) { message = "Invalid user name or password!"; } …

Read More
The definitive guide to form-based website authentication

Form-based authentication for websites We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form based authentication for websites" should be …

Read More