I have a legacy Java EE application deployed in GlassFish 5.0.1. It uses a custom realm to authenticate users. When logged in and trying to access a protected resource it always throws a 403 error.
The application was running on Java EE 7 and Glassfish 4 before and trying it to run on Java EE 8 and Glassfish/Payara 5.
In the new environment I can login to the application without any issues. The issue arises when trying to access a protected url.
Default Principal To Role Mapping option is unchecked in Glassfish.
I tried clearing the generated directory and redeploying as well.
Tried deploying in Payara 5 as well. Having the same issue.
The reason seems to be request.isUserInRole in custom security manager always returning false.
public boolean isUserInRole(List<String> roles, HttpServletRequest request, HttpServletResponse response)
{
if (roles == null || roles.size() < 1)
return false;
if (request.getUserPrincipal()==null)
{
return false;
}
for (String role : roles)
{
if (request.isUserInRole(role.trim()))
{
return true;
}
}
return false;
}
glassfish-web.xml file is as below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<context-root>/abc</context-root>
<security-role-mapping>
<role-name>ABC_MAS</role-name>
<group-name>ABC_MAS</group-name>
</security-role-mapping>
<class-loader delegate="false"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<property name="securePagesWithPragma" value="false" />
</glassfish-web-app>
web.xml contains the following
<web-app>
...
<security-constraint>
<display-name>Test application</display-name>
<web-resource-collection>
<web-resource-name>Secure Pages</web-resource-name>
<description/>
<url-pattern>/pages/secured/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ABC_MAS</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>abcRealm</realm-name>
<form-login-config>
<form-login-page>/pages/login.action</form-login-page>
<form-error-page>/pages/login.action</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>ABC_MAS</role-name>
</security-role>
</web-app>