Glassfish basic authentication in REST services - authentication

I am trying to make basic authentication in Web Project using Glassfish jdbcRealm.
This is my web.xml authentication part:
<security-constraint>
<display-name>LoginTestContraint</display-name>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<description/>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>UsersConstraints</display-name>
<web-resource-collection>
<web-resource-name>FindAll</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>AccessConstraints</display-name>
<web-resource-collection>
<web-resource-name>/resources/com.taxi.model.access</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.access/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>AccessRead</role-name>
<role-name>AccessWrite</role-name>
<role-name>AccessDelete</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>taxiJDBCRealm</realm-name>
</login-config>
<security-role>
<description/>
<role-name>AccessRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessDelete</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersDelete</role-name>
</security-role>
And this is what i have in glassfish-web.xml:
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AccessDelete</role-name>
<group-name>AccessDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessRead</role-name>
<group-name>AccessRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessWrite</role-name>
<group-name>AccessWrite</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersDelete</role-name>
<group-name>UsersDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersRead</role-name>
<group-name>UsersRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersWrite</role-name>
<group-name>UsersWrite</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
I want to authenticate REST service users, so I do following:
#Stateless
#Path("com.taxi.model.users")
public class UsersFacadeREST extends AbstractFacade<Users> {
// ...
#GET
#Override
#Produces({"application/xml", "application/json"})
#RolesAllowed("UsersRead")
public List<Users> findAll() {
return super.findAll();
}
// ...
}
#Stateless
#Path("com.taxi.model.access")
public class AccessFacadeREST extends AbstractFacade<Access> {
// ...
#GET
#Override
#Produces({"application/xml", "application/json"})
#RolesAllowed("AccessRead")
public List<Access> findAll() {
return super.findAll();
}
// ...
}
When I try to open http://localhost:8080/taxi/resources/com.taxi.model.access it returns me XML with accesses.
So, then I try to open http://localhost:8080/taxi/resources/com.taxi.model.users in browser it is all works, but access is denied. In postgresql log file I see:
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glpasswd FROM vw_glusertable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glgroup FROM vw_glgrouptable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
Glassfish error log:
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = taxi/taxi
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /resources/com.taxi.model.users GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [nickla] into realm: taxiJDBCRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: nickla groups:[UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : nickla
FINE: Set security context as user: nickla
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : nickla, UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
Why is Glassfish told me that my user with role UsersRead has no grants for com.taxi.model.users?
P.S.:
Answer is simple - do not use UsersRead UsersWrite UsersDelete words as role names. I do not know why, but when I changed it to UsersRead11 all things go right.

Related

How can I get rid of keycloak's default login page and use my own login page

I am using wildfly 10.1.0.Final and keycloak 3.1.0.Final.
I want to use my own login page, I have created a login page with a submit button to get the token:
$('#submit').click(function(e) {
var creds = "client_id=sensorcloud-2.2.1-SNAPSHOT&grant_type=password&client_secret=b6b4f0ec-9936-46a2-9f40-69c207e2e0f2&username=" + $('#username')[0].value +"&password=" + $('#password')[0].value;
$.ajax({
url: 'https://localhost:8445/auth/realms/sensorcloud-auth/protocol/openid-connect/token',
data: creds,
headers: {'Content-Type':'application/x-www-form-urlencoded'},
type: 'POST',
success: function(data){
localStorage.setItem('currentUser', JSON.stringify(data));
window.location.replace("https://localhost:8443/sensorcloud-2.2.1-SNAPSHOT/dashboard.html");
},
error: function() {
alert("Invalid username or password");
}
});
});
And it works.
Only with this code, dashboard.html doesn't have any security constraint at all,so I set up the web.xml as recommended:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>SensorCloud</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>sensorcloud-auth</realm-name>
</login-config>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/index.html</url-pattern>
<url-pattern>/help.html</url-pattern>
<url-pattern>/register.html</url-pattern>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/dashboard.html</url-pattern>
<url-pattern>/management.html</url-pattern>
<url-pattern>/password.html</url-pattern>
<url-pattern>/user.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
Some public pages can be accessed by anyone like index.html, login.html. And some pages should be accessed only by user and admin, like dashboard.html, and admin.html should only be accessed by admin user.
And in my keycloak realm client setting, for client sensorclout-2.2.1-SNAPSHOT, I have redirect url as
https://localhost:8443/sensorcloud-2.2.1-SNAPSHOT/*
But every time when I try to go to dashboard.html, I will be redirect the keycloak default login page. I want to be redirect to my customized login page.
How can I achieve this?
Thanks

when you set Access Type of your client to "public", then keycloak will always redirect a user to its login page. You can set Access Type to "bearer-only" - in this case keycloak would NOT redirect, but you need to be authenticated to access secured ressources.
If you configure keycloak like this, then, when accessing secured pages, you will need to implement some process, which checks, if user is already authenticated, and if not, redirect it to your login page.

Secured REST call on Websphere

I am trying to create a secured REST service on WebSphere 8.5.0.2. I want to secure using basic authentication. I modified my web.xml and tryed to read auto injected SecurityContext. I get an auto injected object but various operations are failing for e.g. securityContext.getAuthenticationScheme();
I have also mapped my role to all authentiacted realm's users.
I could not find anything in Wink's documentation too. Am i doing anything wrong ?
My web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>RESTModulation</display-name>
<!-- Wink SDK servlet configuration.
This servlet handles HTTP requests
of SDK web service on application server.-->
<servlet>
<description>
JAX-RS Tools Generated - Do not modify</description>
<servlet-name>EntryRestServlet</servlet-name>
<servlet-class>com.ibm.websphere.jaxrs.server.IBMRestServlet</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.demo.DemoResourceApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>EntryRestServlet</servlet-name>
<url-pattern>
/resources/*</url-pattern>
</servlet-mapping>
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>EntryRestServlet</web-resource-name>
<description>Protection area for Rest Servlet</description>
<url-pattern>/resources/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>Role1 for this rest servlet</description>
<role-name>Role1</role-name>
</auth-constraint>
</security-constraint>
<security-role id="SecurityRole_1">
<description>This is Role1</description>
<role-name>Role1</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name>
</login-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>
==========================================================================
Service implementation
#Path("/MyTestService")
public class MyTestService{
#Context
SecurityContext securityContext;
#GET
#Path("/getUser1")
#Produces(MediaType.TEXT_PLAIN)
public Response doInquiry()throws Exception {
String jsonData= "{'user':'I am here '}";
String authnScheme = securityContext.getAuthenticationScheme();
System.out.println("authnScheme : " + authnScheme);
// retrieve the name of the Principal that invoked the resource
String username = securityContext.getUserPrincipal().getName();
System.out.println("username : " + username);
// check if the current user is in Role1
Boolean isUserInRole = securityContext.isUserInRole("Role1");
System.out.println("isUserInRole : " + isUserInRole);
return Response.status(Response.Status.OK).entity(jsonData).build();
}
}

I did not pass correct password from REST client. After providing correct credentials, it has started working.

How can I use #RolesAllowed in Java EE 6.0

I'm using jax-rs 1.1 (as this JavaEE 6.0) and want a standard way to manage permission for my resources. I've tried this:
#Path("/public/login/")
#Stateless
#RolesAllowed("ADMIN")
public class LoginResource implements Serializable {
#POST
#Consumes("application/json")
#Produces("application/json")
public Response login(Usuario usuario) {
....
}
}
But it appears to have no effect. What am I missing?

Your application may be missing security constraints in web.xml and in that case it is ignoring any security annotations.
Try to add the following to your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admins</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>admins</role-name>
</security-role>

JDBCRealm authentication works with Servlet #WebFilter but throws NamingEcception when using security constraint in web.xml

Short version:
I have setup a small maven web project (JDK 1.8.0, Source: 1.8, JavaEE7) to test the JDBCRealm in Glassfish 4.1 (build 13). It consists of two Entities: RealmUser und RealmGroup and a JAX-RS Service to insert, update and delete these Entities.
I defined the JDBCResource in glassfish-resources.xml, configured the realm via Glassfish Admin Console, and setup web.xml with login-config (BASIC) only.
When using a WebFilter to activate authentication it works fine.
But when i setup a security constraint in the web.xml instead, i get the following exception whenever i try to access the protected resource (Full Stacktrace and details below):
Schwerwiegend: jdbcrealm.invaliduser
Fine: Cannot validate user
javax.security.auth.login.LoginException: Unable to connect to datasource java:app/jdbc/sampleresource for database user null.
...
Caused by: javax.naming.NamingException: Lookup failed for 'java:app/jdbc/sampleresource' in SerialContext[myEnv={com.sun.enterprise.connectors.jndisuffix=__nontx, java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory, java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl, java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception is javax.naming.NamingException: Invocation exception: Got null ComponentInvocation ]
...
Caused by: javax.naming.NamingException: Invocation exception: Got null ComponentInvocation
...
Your help is greatly appreciated!
Step by Step:
I created a Derby Database (SampleDB, user: testuser, password: pw) and defined a JDBC resource via glassfish-resources.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE resources PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Resource Definitions//EN" "http://glassfish.org/dtds/glassfish-resources_1_5.dtd">
<resources>
<jdbc-resource enabled="true" jndi-name="java:app/jdbc/sampleresource" object-type="user" pool-name="samplepool">
<description/>
</jdbc-resource>
<jdbc-connection-pool datasource-classname="org.apache.derby.jdbc.ClientDataSource40" name="samplepool" res-type="javax.sql.DataSource">
<property name="URL" value="jdbc:derby://localhost:1527/SampleDB"/>
<property name="serverName" value="localhost"/>
<property name="portNumber" value="1527"/>
<property name="databaseName" value="SampleDB"/>
<property name="User" value="testuser"/>
<property name="Password" value="pw"/>
<property name="driverClass" value="org.apache.derby.jdbc.ClientDriver"/>
</jdbc-connection-pool>
</resources>
I created the persistence.xml with jta-data-source set to java:app/jdbc/sampleresource:
<?xml version="1.0" encoding="UTF-8"?>
<persistence version="2.1" xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
<persistence-unit name="SampleRealmPU" transaction-type="JTA">
<jta-data-source>java:app/jdbc/sampleresource</jta-data-source>
<exclude-unlisted-classes>false</exclude-unlisted-classes>
<properties>
<property name="javax.persistence.schema-generation.database.action" value="create"/>
</properties>
</persistence-unit>
</persistence>
On Startup the Application adds a default user (admin, pw) and default group (Administrator), and assigns admin to the Administrator group.
Then i created the JDBC Realm using the Admin Console, and pointed the Realm to java:app/jdbc/sampleresource.
Note:
I added Database username and password entries although they should be redundant.
Default Principal To Role Mapping is Enabled.
I implemented two services:
GET on .../webresources/UserService/users returns the list of all users
GET on .../webresources/UserService/groups return the list of all groups
Now to activate authentication for accessing groups i created a very simple web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SampleRealm</realm-name>
</login-config>
</web-app>
and a WebFilter:
#WebFilter("/webresources/UserService/groups/*")
public class Authenticator implements Filter {
#Override
public void init(FilterConfig filterConfig) throws ServletException {
}
#Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
try {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if (req.authenticate(resp)) {
chain.doFilter(req, resp);
}
} catch (Throwable t) {
t.printStackTrace();
}
}
#Override
public void destroy() {
}
}
So far it works! I have to provide my default user credentials to access the groups.
Now instead of using the Webfilter i want to use the web.xml to define the same authentication constraint on groups. I commented the whole WebFilter and modified the web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>GroupConstraint</display-name>
<web-resource-collection>
<web-resource-name>UserService groups</web-resource-name>
<description/>
<url-pattern>/webresources/UserService/groups/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>requires auth</description>
<role-name>Administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SampleRealm</realm-name>
</login-config>
<security-role>
<description/>
<role-name>Administrator</role-name>
</security-role>
</web-app>
With this setup i can access the users resource (i.e. database is there) but when i try to access the groups resource i get HTTP Status 401 - Unauthorized and Glassfish logs:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = samples-realm-web/samples-realm-web
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/webresources/UserService/groups" "GET")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Fine: [Web-Security] Policy Context ID was: samples-realm-web/samples-realm-web
Fine: [Web-Security] Generating a protection domain for Permission check.
Fine: [Web-Security] Codesource with Web URL: file:/samples-realm-web/samples-realm-web
Fine: [Web-Security] Checking Web Permission with Principals : null
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/webresources/UserService/groups" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (samples-realm-web/samples-realm-web)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/webresources/UserService/groups" "GET"))
Fine: [Web-Security] hasResource isGranted: false
Fine: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/webresources/UserService/groups" "GET")
Finest: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
Fine: Logging in user [admin] into realm: SampleRealm using JAAS module: jdbcRealm
Fine: Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Schwerwiegend: jdbcrealm.invaliduser
Fine: Cannot validate user
javax.security.auth.login.LoginException: Unable to connect to datasource java:app/jdbc/sampleresource for database user null.
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.getConnection(JDBCRealm.java:585)
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.isUserValid(JDBCRealm.java:408)
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.authenticate(JDBCRealm.java:324)
at com.sun.enterprise.security.ee.auth.login.JDBCLoginModule.authenticate(JDBCLoginModule.java:78)
at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:116)
at com.sun.enterprise.security.BasePasswordLoginModule.login(BasePasswordLoginModule.java:145)
at sun.reflect.GeneratedMethodAccessor52.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:383)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:241)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:154)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:695)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:636)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:166)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1524)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:606)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:702)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.naming.NamingException: Lookup failed for 'java:app/jdbc/sampleresource' in SerialContext[myEnv={com.sun.enterprise.connectors.jndisuffix=__nontx, java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory, java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl, java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception is javax.naming.NamingException: Invocation exception: Got null ComponentInvocation ]
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:491)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:438)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at org.glassfish.resourcebase.resources.naming.ResourceNamingService.lookup(ResourceNamingService.java:236)
at com.sun.enterprise.connectors.service.ConnectorResourceAdminServiceImpl.lookup(ConnectorResourceAdminServiceImpl.java:224)
at com.sun.enterprise.connectors.ConnectorRuntime.lookupNonTxResource(ConnectorRuntime.java:553)
at com.sun.enterprise.connectors.ConnectorRuntime.lookupNonTxResource(ConnectorRuntime.java:538)
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.getConnection(JDBCRealm.java:573)
... 48 more
Caused by: javax.naming.NamingException: Invocation exception: Got null ComponentInvocation
at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.getComponentId(GlassfishNamingManagerImpl.java:842)
at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:714)
at com.sun.enterprise.naming.impl.JavaURLContext.lookup(JavaURLContext.java:167)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:471)
... 56 more
Fine: JAAS authentication aborted.
Finest: doPasswordLogin fails
javax.security.auth.login.LoginException: Security Exception
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:840)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:383)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:241)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:154)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:695)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:636)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:166)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1524)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:606)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:702)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.SecurityException
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:841)
... 39 more
Warnung: WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception
I tried several things to solve this including:
renaming the jdbc resource
leaving/adding the java:app namespace at several points
creating a completly new project to test
added Role Mappings (despite having default Role mapping enabled)
Example of RoleMappings using glassfish-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMSSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/h2ee web-app_2_4.xsd">
<security-role-mapping>
<role-name>Administrator</role-name>
<group-name>Administrator</group-name>
</security-role-mapping>
</glassfish-web-app>
Your help is greatly appreciated!

your password Encryption is set to SHA-256... Make it AES
USE SHA-256 as the digest Algo not the encryption... try using Hex as the Encoding

How to implement redirect to login-page with Java EE 6/Glassfish

I'm trying to implement a redirect after login, which means I can't use glassfish built-in form authentication settings anymore that handles such things automatically. So first thing's first, I need to take control over redirecting to a login page when requesting a protected page. As I understand, this is done with a filter. Can this method be combined with security-constraints in web-xml? As it is, my filter is not called at all since glassfish just takes over and throws a basic loginbox at the user and ignores all filters even when no login configuration is set. Basicly, I have not managed to get a filter called before a user has logged in when security constraints are configured in glassfish.
Do I really need to take over security completly manually in a filter for this to work? If that's the case, the implementation seems horrible.
Using glassfish 3.1 with JSF 2 and a custom loginpage logging in manually with request.login.
web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value><!--Production-->Development</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>de.odysseus.el.ExpressionFactoryImpl</param-value>
</context-param>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<filter>
<filter-name>LoginFilter</filter-name>
<filter-class>com.xdin.competence.jsf.util.LoginFilter</filter-class>
</filter>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsf</welcome-file>
</welcome-file-list>
<!--<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/viewExpired.jsf</location>
</error-page>-->
<security-constraint>
<display-name>ManagerArea</display-name>
<web-resource-collection>
<web-resource-name>ManagerArea</web-resource-name>
<description/>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Manager-role</role-name>
<role-name>Admin-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>EmployeeArea</display-name>
<web-resource-collection>
<web-resource-name>EmployeeConstraint</web-resource-name>
<description/>
<url-pattern>/user/Overview.jsf</url-pattern>
<url-pattern>/user/PrepareReport.jsf</url-pattern>
<url-pattern>/user/Search.jsf</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Employee-role</role-name>
<role-name>Admin-role</role-name>
<role-name>Manager-role</role-name>
<role-name>OKIF-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>AdminArea</display-name>
<web-resource-collection>
<web-resource-name>AdminCompetence</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Admin-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>UserArea</display-name>
<web-resource-collection>
<web-resource-name>UserConstraint</web-resource-name>
<description/>
<url-pattern>/index.jsf</url-pattern>
<url-pattern>/template.jsf</url-pattern>
<url-pattern>/user/UserDetail.jsf</url-pattern>
<url-pattern>/user/UserInformation.jsf</url-pattern>
<url-pattern>/print/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Employee-role</role-name>
<role-name>Admin-role</role-name>
<role-name>Manager-role</role-name>
<role-name>OKIF-role</role-name>
</auth-constraint>
</security-constraint>
<!--<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>-->
<security-role>
<description/>
<role-name>Employee-role</role-name>
</security-role>
<security-role>
<description/>
<role-name>Admin-role</role-name>
</security-role>
<security-role>
<description/>
<role-name>Manager-role</role-name>
</security-role>
<security-role>
<description/>
<role-name>OKIF-role</role-name>
</security-role>
</web-app>
And my filter:
public class LoginFilter implements Filter {
private FilterConfig filterConfig = null;
public LoginFilter() {
}
#Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
if (req.getUserPrincipal() == null) {
req.getSession().setAttribute("from", req.getRequestURI());
res.sendRedirect("/login.jsf");
} else {
chain.doFilter(request, response);
}
}
#Override
public void destroy() {
}
#Override
public void init(FilterConfig filterConfig) {
this.filterConfig = filterConfig;
}
}

In your customized login form, add the following hidden field:
<input type="hidden" name="from" value="#{requestScope['javax.servlet.forward.request_uri']}" />
which you set in JSF as follows
#ManagedProperty(value="#{param.from}")
private String from;
and redirect as follows in login action method
if (from != null) {
externalContext.redirect(from);
}
No need for a Filter.