I am getting this outcome from the netbeans glassfish output window when a request is made from the internet to a login page:
INFO: JACC Policy Provider:Failed Permission Check: context (" WebApplication2/WebApplication2 ") , permission (" ("javax.security.jacc.WebUserDataPermission" "/login.xhtml" "GET") ")
This does not happen when a request is made from the LAN or localhost and the page is served over HTTPS as required.
I am trying to configure a login page to use transport layer security to protect user passwords during the login request. I am hoping this can be achieved using only the Faces Servlet with declarative security in the web.xml deployment descriptor.
I am using form-based authentication with a non j_security_check custom Facelet form for programmatic login through request.login method. The login form has the following security constraint in the web.xml:
<security-constraint>
<display-name>secure login</display-name>
<web-resource-collection>
<web-resource-name>login.xhtml</web-resource-name>
<description/>
<url-pattern>/login.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
There is not an authorization constraint element as this form is obviously intended for unauthenticated users. The only reason there is a security constraint at all is so that the sub element can be set to CONFIDENTIAL assuring a secure connection.
The Java EE 6 tutorial states here that:
If there is no authorization constraint, the container must accept the request without requiring user authentication
and
The user data constraint is handy to use in conjunction with basic and form-based user authentication. When the login authentication method is set to BASIC or FORM, passwords are not protected, meaning that passwords sent between a client and a server on an unprotected session can be viewed and intercepted by third parties. Using a user data constraint with the user authentication mechanism can alleviate this concern. Configuring a user authentication mechanism is described in Specifying an Authentication Mechanism in the Deployment Descriptor.
Why is JACC doing a permission check when no such check should be required to access this resource? Why does it fail only from the internet and not on the LAN?
Simply clean the project and restart the server !! This worked fine for me !! Sometimes there would be a certain files that would be cought up in cache!! These files may cause this error!! So on cleaning the project the error will get fixed!!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With