Login not triggered for restricted page in glassfish jdbcrealm authentication

Question

I'm very new to EJB security and GlassFish authentication, authorization mechanism. I have a jdbc realm and configured sun-web.xml and web.xml to map the roles and restrict access to a page.

However, my problem is that when I restrict access to all the pages, it works and triggers the login pop up before loading the welcome page (using BASIC authentication).

<web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
  <description/>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
</web-resource-collection>

but when I restrict access to a page in a folder security, GlassFish does not prompt the login and redirects the user to the restricted page.

<web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
  <description/>
  <url-pattern>/security/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
</web-resource-collection>`

Please help me solve this problem.. Thanks a lot in advance.

I also found these entries after I turned on security manager

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin

[Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /faces/security/UserRedirect.jsp GET)

it seems like admin principal in admin-realm is automatically authenticated and used for my application rather than using my jdbcrealm. Any thoughts on how to fix this?

Update

I'm sorry I just changed the authentication to form to check. I changed it back to BASIC again. And yes I have the jdbcrealm name as the default realm.

Your right.. it's exactly that

GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted

I think it's because admin-realm admin is automatically authenticated and when I try to access a restricted page, it checks the authenticated user and since it's admin and it has authorization to the page, the the page is accessible and does not prompt to login.

These still appear when I run the application and not trying to login to admin console of glass fish

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin

Also these

(unresolved javax.security.jacc.WebUserDataPermission /security/* null)
 (unresolved javax.security.jacc.WebUserDataPermission /:/security/* null)
 (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
 (unresolved javax.security.jacc.WebResourcePermission /:/security/* null)
 (unresolved javax.security.jacc.WebResourcePermission /security/* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
 (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)

Update 2

I tried using <url-pattern>/*</url-pattern> instead of <url-pattern>/security/*</url-pattern>

and interestingly this is what I got in the trace.

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [employee] into realm: emsSecurity using JAAS module: jdbcRealm
Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
JDBC login succeeded for: employee groups:[Ljava.lang.String;@16bfca4
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : employee
permission check done to set SecurityContext
Set security context as user: employee

and it goes to a access denied page.

'HTTP Status 403 - Access to the requested resource has been denied'

I don't understand how glassfish authenticates the user employee without the user submitting the login credentials. It even says 'Password login succeeded for : employee'. Please help me solve this problem.

---

Fist of all thank you very much for your efforts. I'm still stuck with the problem. I'm posting here the xml files.

sun-web.xml

<security-role-mapping>
<role-name>Employee</role-name>
<group-name>Employee</group-name>

web.xml

    <security-constraint>
    <display-name>Login Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>User Redirect page</web-resource-name>
        <description/>
        <url-pattern>/security/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>Employee</role-name>
        </auth-constraint>
    </security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>deliverySecurity</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/index.jsp</form-error-page>
        </form-login-config>
    </login-config>
<security-role>
    <description/>
    <role-name>Employee</role-name>
</security-role>

Also there is no stack trace. No exception.. The user is just redirected to the secured page as if there is no authentication requirements. This is a jsf visual web development project using Netbeans 6.5.1 and Glassfish v2. Thanks a lot.

Answer 1

Two possible solutions:

1 - Did you tried from another browser? Because the login information can be cached, so if you typed once it will not ask you again until you perform a logout action.

2 - Implement a logout method. I use JSF 2.0 and my logout method is something like this:

public String logout() {
        FacesContext context = FacesContext.getCurrentInstance();

        // remove data from beans:
        for (String bean : context.getExternalContext().getSessionMap().keySet()) {
            context.getExternalContext().getSessionMap().remove(bean);
        }

        // destroy session:
        HttpSession session = (HttpSession) context.getExternalContext().getSession(false);
        session.invalidate();

        // using faces-redirect to initiate a new request:
        return "/security/index.xhtml?faces-redirect=true";

    }

You can try to add this method to your bean, and then call it from a button with 'action="#{yourBean.logout}"'.

Then, when you refresh your browser it'll prompt for login credentials.

Answer 2

Could you please post all the relevant parts of your web.xml because I did a test with this web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

  <display-name>Archetype Created Web Application</display-name>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/jsp/security/protected/*</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role1</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Security roles referenced by this web application -->
  <security-role>
    <role-name>role1</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
</web-app>

And requesting a protected resource (http://localhost:8080/mywebapp/jsp/security/protected/ here) does prompt me for a user name and password. In other words, I can not reproduce the problem (I was using GlassFish v3).

Update: I finished to secure my sample webapp with a jdbc realm and confirm that things are working fine. So, as I said, please provide your web.xml and your sun-web.xml. Also, please set the logging level to FINEST for security stuff:

And join relevant traces.

Update: I think that the traces you're showing are for the login of the admin user in the admin console. If not, did you set the jdbc realm as the default realm (database is my jdbc realm in the following capture)?

BTW, I thought you were using BASIC authentication. But according to the descriptor you provided, you are using FORM. So, could you clarify what you are actually using and what the problem exactly is (like: "GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted")?