Alexander Mitenko

It seems like Jetty6 is not compliant with @ManagedBean annotation - they does not work correctly.
Try latest glassfish, jboss, weblogic containers.

Tim Holloway wrote:If I was to assert that my configuration was perfect, I'd have managed to mis-capitalize something, transpose 2 characters (preferably something narrow like "ii" so it's hard to see) or done something otherwise blatantly wrong that would take me 3 days to spot or 5 minutes for someone who didn't "know" what was there. This is because machines in general and computers specifically delight in making me look like an idiot.

That is obvious for me, as a computer professional with 20 years of IT experience and was checked first

Tim Holloway wrote:There are no bugs I know of in the Glassfish security system. You might have missed configuring something in sun-web.xml, but you didn't provide a copy of that file.

Here was a trouble!
I'd missed role-mapping section in that file, thanks for Your advice!
But for what purposes that information must be doubled here?

Tim Holloway wrote:It may not be important, because the most likely explanation is that you haven't mapped the role named "admin" to the user ID "archimage" in your Realm authentication and authorization "database". If that relationship doesn't exist, then the "503" page is exactly what users would see, ubless you replaced it with a custom "You can't do that - you're not authorized" message page of your own design.

My realm configured by the right way - user archimage have an admin role and registered in the "file" realm, mapped in web.xml.
May be troubles in other GlassFish config or project deployment places?

Tim Holloway wrote:Actually, the downside of detailed logs is that obvious tends to get buried. I asked because I saw an explicit login request in code and it's unfortunately common that people think that user-written "security" systems can make use of the web.xml config info designated for use by the container security system,

Explicit login request based on Servlet 3.0 recommended login process and uses container security in fact. At this moment I haven't my own security system

Tim Holloway wrote:One thing that is missing from your example, I believe, is the "catch" part of the "try" block around your login code and a print of the stacktrace that would have been captured at that point.

catch block:
} catch (ServletException e) { e.printStackTrace(); return "error?faces-redirect=true"; }
But here is no exception and stacktrace! Login was successful, it's logged, as I said before. Here is authorization, not authentication troubles...

Tim Holloway wrote:It may not be important, because the most likely explanation is that you haven't mapped the role named "admin" to the user ID "archimage" in your Realm authentication and authorization "database". If that relationship doesn't exist, then the "503" page is exactly what users would see, ubless you replaced it with a custom "You can't do that - you're not authorized" message page of your own design.

403 page shown, not 503...

Yes, of course.
That is obvious from log.
Else user archimage cannot login, but here login was successful.

Help me, please, my mind becomes rot in these naughty faces

Here is /secure/welcome.xhtml text after login process:
HTTP Status 403 - Access to the requested resource has been denied type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Oracle GlassFish Server 3.1
I've four pages for test:
/welcome.xhtml /login.xhtml /error.xhtml /secure/welcome.xhtml
web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>secured</web-resource-name> <url-pattern>/secure/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>admin</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <realm-name>file</realm-name> <form-login-config> <form-login-page>/login.xhtml</form-login-page> <form-error-page>/error.xhtml</form-error-page> </form-login-config> </login-config>
/welcome.xhtml have a button:
<p:commandButton action="login" value="Login" ajax="false" /> PrimeFaces namespace <p:
LoginBean.java part for login processing:
HttpServletRequest request = (HttpServletRequest) FacesContext .getCurrentInstance().getExternalContext().getRequest(); try { request.login(this.login, this.password); Principal p = request.getUserPrincipal(); ... return "secure/welcome?faces-redirect=true";

What is wrong here?

Server log (FINEST Security log enabled):
[#|2011-04-21T00:00:38.291+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security.com.sun.enterprise.security.auth.login|_ThreadID=90;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.auth.login.LoginContextDriver;MethodName=doPasswordLogin;|Password login succeeded for : archimage|#] [#|2011-04-21T00:00:38.291+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=90;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.SecurityContext;MethodName=setCurrent;|permission check done to set SecurityContext|#] [#|2011-04-21T00:00:38.291+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security.com.sun.enterprise.security.auth.login|_ThreadID=90;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.auth.login.LoginContextDriver;MethodName=doPasswordLogin;|Set security context as user: archimage|#] [#|2011-04-21T00:00:38.294+1100|FINEST|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=26;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.provider.BasePolicyWrapper;MethodName=getPermissions;|JACC Policy Provider: PolicyWrapper.getPermissions(cs), context (NFCS/ejb_jar) codesource ((file:/NFCS/ejb_jar <no signer certificates>)) permissions: java.security.Permissions@f8f30e ( (java.lang.RuntimePermission getClassLoader) (java.lang.RuntimePermission loadLibrary.*) (java.lang.RuntimePermission accessDeclaredMembers) (java.lang.RuntimePermission getProtectionDomain) (java.lang.RuntimePermission modifyThreadGroup) (java.lang.RuntimePermission stopThread) (java.lang.RuntimePermission setContextClassLoader) (java.lang.RuntimePermission queuePrintJob) (java.util.PropertyPermission line.separator read) (java.util.PropertyPermission java.vm.version read) (java.util.PropertyPermission java.vm.specification.version read) (java.util.PropertyPermission java.vm.specification.vendor read) (java.util.PropertyPermission java.vendor.url read) (java.util.PropertyPermission java.vm.name read) (java.util.PropertyPermission * read,write) (java.util.PropertyPermission os.name read) (java.util.PropertyPermission java.vm.vendor read) (java.util.PropertyPermission path.separator read) (java.util.PropertyPermission java.specification.name read) (java.util.PropertyPermission os.version read) (java.util.PropertyPermission os.arch read) (java.util.PropertyPermission java.class.version read) (java.util.PropertyPermission java.version read) (java.util.PropertyPermission file.separator read) (java.util.PropertyPermission java.vendor read) (java.util.PropertyPermission java.vm.specification.name read) (java.util.PropertyPermission java.specification.version read) (java.util.PropertyPermission java.specification.vendor read) (java.io.FilePermission <<ALL FILES>> read,write) (java.io.FilePermission C:\Users\archimage.HONEY\Documents\Glassfish\glassfish\domains\domain1\lib\databases\- delete) (java.io.FilePermission C:\Users\ARCHIM~1.HON\AppData\Local\Temp\\- delete) (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *) (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read) (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null) (unresolved javax.security.jacc.EJBMethodPermission OrganizationEJB find,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission DepartmentEJB update,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission EJB update,Remote,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ReportScheduleEJB findById,Local,java.lang.Class,java.lang.Long) (unresolved javax.security.jacc.EJBMethodPermission DepartmentEJB findById,Local,java.lang.Class,java.lang.Long) (unresolved javax.security.jacc.EJBMethodPermission EJB findById,Remote,java.lang.Class,java.lang.Long) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB update,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission OrganizationEJB remove,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ScheduleEJB create,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission EJB create,Remote,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ScheduleEJB find,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission ReportScheduleEJB find,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission OrganizationEJB findById,Local,java.lang.Class,java.lang.Long) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB findByEMail,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission ReportScheduleEJB update,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB findById,Local,java.lang.Class,java.lang.Long) (unresolved javax.security.jacc.EJBMethodPermission ReportScheduleEJB remove,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ScheduleEJB update,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission OrganizationEJB update,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB create,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB find,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission OrganizationEJB create,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ScheduleEJB findById,Local,java.lang.Class,java.lang.Long) (unresolved javax.security.jacc.EJBMethodPermission DepartmentEJB create,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ScheduleEJB remove,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission DepartmentEJB remove,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB findByName,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission ColleagueEJB remove,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission EJB find,Remote,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission ReportScheduleEJB create,Local,java.lang.Object) (unresolved javax.security.jacc.EJBMethodPermission DepartmentEJB find,Local,java.lang.String) (unresolved javax.security.jacc.EJBMethodPermission EJB remove,Remote,java.lang.Object) (unresolved com.sun.enterprise.security.CORBAObjectPermission * *) (java.net.SocketPermission localhost:1024- listen,resolve) (java.net.SocketPermission * connect,resolve) (javax.management.MBeanTrustPermission register) ) |#] [#|2011-04-21T00:00:38.297+1100|INFO|oracle-glassfish3.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=90;_ThreadName=Thread-1;|Hibernate: select colleague0_.id as id154_, colleague0_1_.createdBy_id as createdBy7_154_, colleague0_1_.createdOn as createdOn154_, colleague0_1_.validFrom as validFrom154_, colleague0_1_.validTo as validTo154_, colleague0_1_.eMail as eMail154_, colleague0_1_.name as name154_, colleague0_1_.schedules as schedules154_, colleague0_.birthDate as birthDate155_ from Colleague colleague0_ inner join Subject colleague0_1_ on colleague0_.id=colleague0_1_.id where colleague0_1_.eMail=? limit ?|#] [#|2011-04-21T00:00:38.315+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=setPolicyContext;|[Web-Security] Setting Policy Context ID: old = null ctxID = NFCS/web_war|#] [#|2011-04-21T00:00:38.316+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=hasUserDataPermission;|[Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /secure/welcome.xhtml GET)|#] [#|2011-04-21T00:00:38.316+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=hasUserDataPermission;|[Web-Security] hasUserDataPermission isGranted: true|#] [#|2011-04-21T00:00:38.316+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=setPolicyContext;|[Web-Security] Policy Context ID was: NFCS/web_war|#] [#|2011-04-21T00:00:38.316+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Generating a protection domain for Permission check.|#] [#|2011-04-21T00:00:38.316+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Checking with Principal : archimage|#] [#|2011-04-21T00:00:38.316+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Checking with Principal : admin|#] [#|2011-04-21T00:00:38.317+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Checking with Principal : user|#] [#|2011-04-21T00:00:38.317+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Codesource with Web URL: file:/NFCS/web_war|#] [#|2011-04-21T00:00:38.317+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Checking Web Permission with Principals : archimage, admin, user|#] [#|2011-04-21T00:00:38.317+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=checkPermissionWithoutCache;|[Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /secure/welcome.xhtml GET)|#] [#|2011-04-21T00:00:38.318+1100|FINEST|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.provider.BasePolicyWrapper;MethodName=doImplies;|JACC Policy Provider: PolicyWrapper.implies, context (NFCS/web_war)- result was(false) permission ((javax.security.jacc.WebResourcePermission /secure/welcome.xhtml GET))|#] [#|2011-04-21T00:00:38.318+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=91;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.SecurityContext;MethodName=setCurrent;|permission check done to set SecurityContext|#] [#|2011-04-21T00:00:38.318+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=hasResourcePermission;|[Web-Security] hasResource isGranted: false|#] [#|2011-04-21T00:00:38.318+1100|FINE|oracle-glassfish3.1|javax.enterprise.system.core.security|_ThreadID=24;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=hasResourcePermission;|[Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /secure/welcome.xhtml GET)|#

Hello!

I installed new Oracle JDeveloper 11g 11.1.1.0.1 Build JDEVADF_MAIN.BOXER_GENERIC_081203.1854.5188 and encounters with a problem in deploying built by following Oracle ADF Tutorial war application into the bundled with JDeveloper weblogic appserver.
Here is weblogic deploying stack trace:
<11.03.2009 21:54:55 VLAT> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
weblogic.application.ModuleException: Failed to load webapp: 'webapp1.war'
at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:387)
at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
Truncated. see log file for complete stacktrace
java.lang.ClassNotFoundException: oracle.adf.model.servlet.ADFBindingFilter
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:283)
at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:256)
at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:54)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
Truncated. see log file for complete stacktrace>
I see ADFBindingFilter is absent, but I used ADFInstaller in proper manner with full success of deploying it and including setupadf.cmd into the weblogic startup script.
Search of ADFBindingFilter gave me an adfm.jar file location in AdminServer and lib dir of server.

What is wrong? Help me, please!