"JACC Policy Provider:Failed Permission Check" on security constrained login page that has no authorization constraint

Question

I am getting this outcome from the netbeans glassfish output window when a request is made from the internet to a login page:

INFO: JACC Policy Provider:Failed Permission Check: context (" WebApplication2/WebApplication2 ") , permission (" ("javax.security.jacc.WebUserDataPermission" "/login.xhtml" "GET") ")

This does not happen when a request is made from the LAN or localhost and the page is served over HTTPS as required.

I am trying to configure a login page to use transport layer security to protect user passwords during the login request. I am hoping this can be achieved using only the Faces Servlet with declarative security in the web.xml deployment descriptor.

I am using form-based authentication with a non j_security_check custom Facelet form for programmatic login through request.login method. The login form has the following security constraint in the web.xml:

 <security-constraint>
    <display-name>secure login</display-name>
    <web-resource-collection>
        <web-resource-name>login.xhtml</web-resource-name>
        <description/>
        <url-pattern>/login.xhtml</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

There is not an authorization constraint element as this form is obviously intended for unauthenticated users. The only reason there is a security constraint at all is so that the sub element can be set to CONFIDENTIAL assuring a secure connection.

The Java EE 6 tutorial states here that:

If there is no authorization constraint, the container must accept the request without requiring user authentication

and

The user data constraint is handy to use in conjunction with basic and form-based user authentication. When the login authentication method is set to BASIC or FORM, passwords are not protected, meaning that passwords sent between a client and a server on an unprotected session can be viewed and intercepted by third parties. Using a user data constraint with the user authentication mechanism can alleviate this concern. Configuring a user authentication mechanism is described in Specifying an Authentication Mechanism in the Deployment Descriptor.

Why is JACC doing a permission check when no such check should be required to access this resource? Why does it fail only from the internet and not on the LAN?

Answer 1

Simply clean the project and restart the server !! This worked fine for me !! Sometimes there would be a certain files that would be cought up in cache!! These files may cause this error!! So on cleaning the project the error will get fixed!!