Security constraits in javaee7 tutorial dukes-forest from Oracle

Greenhorn

Posts: 1

posted 9 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Hello

The problem is security-constraint. There are two groups/roles USERS and ADMINS. After authentication, any user can enter the path /admin/ *, but should only admins. web.xml and glassfish-web.xml like configured correctly:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <description>Dukes Forest Java EE 7 Tutotrial Example</description>
    <display-name>Dukes Forest</display-name>
    <distributable/>
    <context-param>
        <param-name>com.sun.faces.validateXml</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
        <param-value>.xhtml</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
        <param-value>true</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>javax.ws.rs.core.Application</servlet-name>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>javax.ws.rs.core.Application</servlet-name>
        <url-pattern>/services/*</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>jdbcRealm</realm-name>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/login.xhtml</form-error-page>
        </form-login-config>
    </login-config>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Pages</web-resource-name>
            <description/>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMINS</role-name>
        </auth-constraint>
    </security-constraint> 
    
    <data-source>
        <name>java:global/ForestDataSource</name>
        <class-name>org.apache.derby.jdbc.ClientDataSource</class-name>
        <server-name>localhost</server-name>
        <port-number>1527</port-number>
        <database-name>forest</database-name>
        <user>forest</user>
        <password>app</password>
        <property>
            <name>connectionAttributes</name>
            <value>;create=true</value>
        </property>
    </data-source>
</web-app>

In entities porject pom.xml have strings for jdbcRealm

Log finest level when i auth with regular user, same for admin.

Fine:   [Web-Security] Setting Policy Context ID: old = null ctxID = dukes-store/dukes-store
Fine:   [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/index.xhtml" "POST")
Fine:   [Web-Security] hasUserDataPermission isGranted: true
Fine:   [Web-Security] Policy Context ID was: dukes-store/dukes-store
Fine:   [Web-Security] hasResource isGranted: true
Fine:   [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/index.xhtml" "POST")
Finest:   Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
Fine:   Logging in user [robert@example.com] into realm: jdbcRealm using JAAS module: jdbcRealm
Fine:   Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Warning:   RAR8705: Invalid value for property dynamic-reconfiguration-wait-timeout-in-seconds : null
Warning:   RAR8705: Invalid value for property dynamic-reconfiguration-wait-timeout-in-seconds : null
Finest:   JDBC login succeeded for: robert@example.com groups:[USERS, ADMINS]
Fine:   JAAS login complete.
Fine:   JAAS authentication committed.
Fine:   Password login succeeded for : robert@example.com
Fine:   Set security context as user: robert@example.com

Willie Smits can speak 40 languages. This tiny ad can speak only one:

Smokeless wood heat with a rocket mass heater

https://woodheat.net