Skip to main content

Can login, but roles are not assigned

11 replies [Last post]
rwillie6
Offline
Joined: 2007-11-05

I have two setups configured identically. One is clustered with the cluster profile, the other is not clustered using the development profile. On the dev profile, everything is fine. On the cluster, user's can login but their roles are not assigned.

Here's my setup:

web.xml:

admin

member

sun-web.xml:

admin
admin

member
member

When logging in, the login is processed, but the user gets a 403 error when trying to access a resource that they should have access to.

I know that the login is being processed because the user is forwarded onto the restricted resource they were requesting. If the login didn't process (bad credentials) the user is correctly shot off to the error logging in page.

I see the following show up in the logs for each of the security roles defined in web.xml:

Log Level: WARNING
Logger: javax.enterprise.system.core.security
Name-Value Pairs: _ThreadID=28;_ThreadName=RMI TCP Connection(1468)-216.147.203.239;_RequestID=44ea8886-a3c0-494f-8857-f9ae6cb4d207;
Record Number: 4356
Complete Message: No Principals mapped to Role [admin]

Is there anything specific to JDBCRealm in a clustered environment? Why does an identical setup work with the development profile and not clustered? Why could the roles not be assigned despite the login processing successfully?

Whe I first used glassfish I had this problem, but that was with the development profile and was easily solved by adding the security-role-mappings in sun-web.xml. Why are the security-role mappings in sun-web.xml ignored in a clustered environment?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
rwillie6
Offline
Joined: 2007-11-05

Interesting development:

I got it working as I explained above, but when deploying a new version of my app, the problem came back! I'm not sure whether it came back immediately upon deployment, but it has come back without me touching the security configuration...

It's as if the application does not get together with the security realm during deployment, but does get together fine if the cluster is stopped, the security realm settings are saved, and then the cluster is started again.

But it's really frustrating to have to repeatedly save the same settings again every time I deploy a new version of the .war ....

rwillie6
Offline
Joined: 2007-11-05

Still having this problem.

Does anybody know if JDBCRealm acts differently in a cluster than with the developer profile?

I have the security-roles mapped in sun-web.xml. How can I find out whether those role-mappings are be read? i.e. are they read and ignored?

paulcb
Offline
Joined: 2008-02-06

I'm having the exact same issue on the latest GF V2. When i deploy on a single server, all is ok. If a create a clustered domain and deploy to that, then everything is ok... but once I re-deploy the web app, the log shows:
No Principals mapped to Role [role_name]

This is repeated for each role I have in web.xml. I can then log in, but get a 403 due to insufficient priveledges.

If I redeploy again, then it works. If I redeploy once more, it breaks and continues to alternate each time i redeploy...

P.S. I'm using my own custom authenticator so this problem goes beyond the jdbc or file Realm.

Message was edited by: paulcb

V B Kumar Jayanti

glassfish@javadesktop.org wrote:

>I'm having the exact same issue on the latest GF V2. When i deploy on a single server, all is ok. If a create a clustered domain and deploy to that, then everything is ok... but once I re-deploy the web app, the log shows:
>No Principals mapped to Role [role_name]
>
>This is repeated for each role I have in web.xml. I can then log in, but get a 403 due to insufficient priveledges.
>
>If I redeploy again, then it works. If I redeploy once more, it breaks and continues to alternate each time i redeploy...
>[Message sent by forum member 'paulcb' (paulcb)]
>
>http://forums.java.net/jive/thread.jspa?messageI
>
Can you try with latest builds once because we think this issue is fixed
in latest builds : https://sailfin.dev.java.net/downloads/v1-b60a.html

Thanks.

>D=319113
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
>For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

jdrive
Offline
Joined: 2004-07-02

Hi there;

Same problem here, using Sun Java System Application Server 9.1_01 (build b09d-fcs).
Have you a Bug id # or a workaround, as we cannot simply upgrade to latest build....

Thank you

Ivo

granat
Offline
Joined: 2007-07-04

Hi,

I think I have had this problem before:

first, check that the web.xml is 2.5:
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

second, check that the sun-web.xml is also 2.5:

Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">

That's what I found out... I hope this helps...

greets
jeremie

rwillie6
Offline
Joined: 2007-11-05

web.xml is 2.5 and sun-web.xml is 2.5 too....

Thanks for the suggestion though!

Harsha R A

Please check whether sun-web.xml is present in all the instances of the
clustered profile (in the domain-dir/generated/xml/j2ee-modules/ name>/WEB-INF directory).

Thanks
Harsha

glassfish@javadesktop.org wrote, On Tuesday 20 November 2007 05:01 PM:
> I have two setups configured identically. One is clustered with the cluster profile, the other is not clustered using the development profile. On the dev profile, everything is fine. On the cluster, user's can login but their roles are not assigned.
>
> Here's my setup:
>
> web.xml:
>
>
> admin
>

>
> member
>

>
> sun-web.xml:
>
>
> admin
> admin
>

>
> member
> member
>

>
> When logging in, the login is processed, but the user gets a 403 error when trying to access a resource that they should have access to.
>
> I know that the login is being processed because the user is forwarded onto the restricted resource they were requesting. If the login didn't process (bad credentials) the user is correctly shot off to the error logging in page.
>
> I see the following show up in the logs for each of the security roles defined in web.xml:
>
> Log Level: WARNING
> Logger: javax.enterprise.system.core.security
> Name-Value Pairs: _ThreadID=28;_ThreadName=RMI TCP Connection(1468)-216.147.203.239;_RequestID=44ea8886-a3c0-494f-8857-f9ae6cb4d207;
> Record Number: 4356
> Complete Message: No Principals mapped to Role [admin]
>
> Is there anything specific to JDBCRealm in a clustered environment? Why does an identical setup work with the development profile and not clustered? Why could the roles not be assigned despite the login processing successfully?
>
> Whe I first used glassfish I had this problem, but that was with the development profile and was easily solved by adding the security-role-mappings in sun-web.xml. Why are the security-role mappings in sun-web.xml ignored in a clustered environment?
> [Message sent by forum member 'rwillie6' (rwillie6)]
>
> http://forums.java.net/jive/thread.jspa?messageID=246287
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

rwillie6
Offline
Joined: 2007-11-05

Here's are the results of 'locate sun-web.xml' on both instance machines:

Machine 1, instance 1, has the DAS:
/opt/glassfish/domains/domain1/applications/j2ee-modules/Stag/WEB-INF/sun-web.xml
/opt/glassfish/domains/domain1/generated/xml/j2ee-modules/Stag/WEB-INF/sun-web.xml
/opt/glassfish/nodeagents/g1-a1/g1-i1/applications/j2ee-modules/Stag/WEB-INF/sun-web.xml
/opt/glassfish/nodeagents/g1-a1/g1-i1/generated/xml/j2ee-modules/Stag/WEB-INF/sun-web.xml

Machine 2, instance 2, no DAS:
/opt/glassfish/nodeagents/g2-a1/g2-i1/applications/j2ee-modules/Stag/WEB-INF/sun-web.xml
/opt/glassfish/nodeagents/g2-a1/g2-i1/generated/xml/j2ee-modules/Stag/WEB-INF/sun-web.xml

There were other sun-web.xml references (for things like the admin gui) but I didn't paste those in. So it seems to be present.... Thanks for help, any other ideas?

Harsha R A

Can you also make sure the contents of sun-web.xml in all the locations
are same or similar.

I tried the same scenario a (i.e. web app with auth constraint in
glassfish cluster and jdbc realm) and it worked fine.

You can also set the logging level for security to FINEST and send the
log file contents.

Also be aware of a bug in admin gui
(https://glassfish.dev.java.net/issues/show_bug.cgi?id=3604) because of
which modifications to jdbc realm are not handled well and so should
be done when the cluster has been stopped.

Thanks
Harsha

glassfish@javadesktop.org wrote, On Wednesday 21 November 2007 02:55 AM:
> Here's are the results of 'locate sun-web.xml' on both instance machines:
>
> Machine 1, instance 1, has the DAS:
> /opt/glassfish/domains/domain1/applications/j2ee-modules/Stag/WEB-INF/sun-web.xml
> /opt/glassfish/domains/domain1/generated/xml/j2ee-modules/Stag/WEB-INF/sun-web.xml
> /opt/glassfish/nodeagents/g1-a1/g1-i1/applications/j2ee-modules/Stag/WEB-INF/sun-web.xml
> /opt/glassfish/nodeagents/g1-a1/g1-i1/generated/xml/j2ee-modules/Stag/WEB-INF/sun-web.xml
>
> Machine 2, instance 2, no DAS:
> /opt/glassfish/nodeagents/g2-a1/g2-i1/applications/j2ee-modules/Stag/WEB-INF/sun-web.xml
> /opt/glassfish/nodeagents/g2-a1/g2-i1/generated/xml/j2ee-modules/Stag/WEB-INF/sun-web.xml
>
> There were other sun-web.xml references (for things like the admin gui) but I didn't paste those in. So it seems to be present.... Thanks for help, any other ideas?
> [Message sent by forum member 'rwillie6' (rwillie6)]
>
> http://forums.java.net/jive/thread.jspa?messageID=246391
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

rwillie6
Offline
Joined: 2007-11-05

So, I'm attributing this to that bug. I got it working by stopping the cluster, going go the Realm config and just clicking save without changing anything, then restarting the cluster... go figure.

I had restarted of the cluster before, but tried saving of what I thought were saved changes in the realm settings while the cluster was off.

This is quite an annoying bug...

Thanks for the help!