Skip to main content

Why isn't the login popup not triggered for secured page

4 replies [Last post]
cadii
Offline
Joined: 2010-03-06

I'm very new to EJB security and GlassFish authentication, authorization mechanism. I'm working on a jsf visual web application with Netbeans 6.5.1 and Glassfish v2. I have a jdbc realm and configured sun-web.xml and web.xml to map the roles and restrict access to a page.

However, my problem is that when I restrict access to all the pages, it works and triggers the login pop up before loading the welcome page (using BASIC authentication). but when I restrict access to a page in a folder security, GlassFish does not prompt the login and redirects the user to the restricted page.

This is the role mapping in my sun-web.xml

Employee
Employee

and this is my web.xml

Login Constraint

User Redirect page

/security/*
GET
POST
HEAD
PUT
OPTIONS
TRACE
DELETE

Employee

FORM
deliverySecurity

/Login.jsp
/index.jsp

Employee

Please help me solve the problem. Thanks a lot in advance.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
monzillo
Offline
Joined: 2004-05-08

there are a lot of different, and perhaps inconsistent facets to the posts below, so it is hard to say exactly what is going on.

In the first post, note that according to the login-config element of the web.xml, you have configured Form Based Login (not Basic Auth), and the app has been configured to use a realm named "deliverySecurity".

since we don't have the entire configuration, we can't see the context-root under which the app is deployed, but from the security-constraint, we can see that only resources at context-root/security/* will require authentication.

it would help to see the specific request urls that you are testing with, but my guess is that you are testing with some requests that are actually being served by other apps than the app for which you have provided the web.xml.

Regarding the second post (as mentioned above), the trace suggests you are comparing requests that are mapped to different apps; which themselves are configured to use different realms. As an ease-of-use feature, the default config of the admin-realm contains an admin user with a zero-length password. you must change the password of the admin user if you want to force a password collection during web based accesses to the admin app).

the second example in the second post, would indicate that you issued a request to authenticate with perhaps a third application since it indicates that the app was configured to use the realm *emsSecurity*. I can only guess why a password would not be required, but it may be that this app was configured (in its login-config) to use BASIC AUTH. In BASIC AUTH the browser caches collected credentials and returns them in response to authentication challenges from the servlet container. As such, it looks like no password is being provided, even though the browser is providing them for you. A Browser typically dumps its cache of BASIC AUTH credentials when you quit the browser. You might try quitting your browser and reissuing the request to see if that causes you to be prompted for creds. fwiw, these properties of BASIC AUTH have nothing to do with Glassfish, they are indemic to HTTP BASIC auth.

Please check your request urls. note that requests are mapped to specific application contexts, each of which has its own effective security configuration.

nasradu8
Offline
Joined: 2009-09-03

Can you please double check the url-pattern once. Everything else seems perfectly fine.

If possible please attach a small test case which reproduces this.

cadii
Offline
Joined: 2010-03-06

GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted

I think it's because admin-realm admin is automatically authenticated and when I try to access a restricted page, it checks the authenticated user and since it's admin and it has authorization to the page, the the page is accessible and does not prompt to login.

These still appear when I run the application and not trying to login to admin console of glass fish

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin

Also these

(unresolved javax.security.jacc.WebUserDataPermission /security/* null)
(unresolved javax.security.jacc.WebUserDataPermission /:/security/* null)
(unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
(unresolved javax.security.jacc.WebResourcePermission /:/security/* null)
(unresolved javax.security.jacc.WebResourcePermission /security/* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
(unresolved com.sun.enterprise.security.CORBAObjectPermission * *)

I tried using /* instead of /security/*

and interestingly this is what I got in the trace.

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [employee] into realm: emsSecurity using JAAS module: jdbcRealm
Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
JDBC login succeeded for: employee groups:[Ljava.lang.String;@16bfca4
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : employee
permission check done to set SecurityContext
Set security context as user: employee

and it goes to a access denied page.

'HTTP Status 403 - Access to the requested resource has been denied'

I don't understand how glassfish authenticates the user employee without the user submitting the login credentials. It even says 'Password login succeeded for : employee'. Please help me solve this problem

Kumar Jayanti

glassfish@javadesktop.org wrote:
> GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted
>
> I think it's because admin-realm admin is automatically authenticated and when I try to access a restricted page, it checks the authenticated user and since it's admin and it has authorization to the page, the the page is accessible and does not prompt to login.
>
> These still appear when I run the application and not trying to login to admin console of glass fish
>
> Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
> Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
> Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
> File login succeeded for: admin
> JAAS login complete.
> JAAS authentication committed.
> Password login succeeded for : admin
> permission check done to set SecurityContext
> Set security context as user: admin
>
> Also these
>
> (unresolved javax.security.jacc.WebUserDataPermission /security/* null)
> (unresolved javax.security.jacc.WebUserDataPermission /:/security/* null)
> (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
> (unresolved javax.security.jacc.WebResourcePermission /:/security/* null)
> (unresolved javax.security.jacc.WebResourcePermission /security/* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
> (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
>
> I tried using /* instead of /security/*
>
> and interestingly this is what I got in the trace.
>
> Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
> Logging in user [employee] into realm: emsSecurity using JAAS module: jdbcRealm
> Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
> JDBC login succeeded for: employee groups:[Ljava.lang.String;@16bfca4
> JAAS login complete.
> JAAS authentication committed.
> Password login succeeded for : employee
> permission check done to set SecurityContext
> Set security context as user: employee
>
> and it goes to a access denied page.
>
> 'HTTP Status 403 - Access to the requested resource has been denied'
>
> I don't understand how glassfish authenticates the user employee without the user submitting the login credentials. It even says 'Password login succeeded for : employee'. Please help me solve this problem
>
Please file a bug with steps to reproduce.

Thanks.
> [Message sent by forum member 'cadii' (vishanka18@yahoo.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=390626
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net