3

I have been having a real problem with this way of dong things, I dont normally post problems on here unless I have completely exhausted my resources (Internet Searches and Peer Help).

I am trying to run a demo app that provides form validation through j_security_check action.

I believe everything is configured properly for this method.

The main warning that I am getting is:

Warning:   Unable to find component with ID j_username in view.
Warning:   Unable to find component with ID j_password in view.
Severe:   jdbcrealm.grouperror
Warning:   WEB9102: Web Login Failed:   com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception

My index.xhtml page redirects to the login page if an unauthorised view is about to take place.
I know my creds are correct as I created them.

I know this is absolutely not the best method for doing authentication, but i have been asked to do this and have been frustrated for too many hours now.

heres some reference

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee"                                                              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Development</param-value>
</context-param>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbcRealm</realm-name>
    <form-login-config>
        <form-login-page>/faces/login.xhtml</form-login-page>
        <form-error-page>/faces/loginError.xhtml</form-error-page>
    </form-login-config>
</login-config>
<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin user</web-resource-name>
        <url-pattern>/faces/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>User</web-resource-name>
        <description/>
        <url-pattern>/faces/users/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
        <role-name>USER</role-name>
    </auth-constraint>
</security-constraint>
<welcome-file-list>
    <welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>

glassfish-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1   Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<class-loader delegate="true"/>
<jsp-config>
    <property name="keepgenerated" value="true">
        <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
    <security-role-mapping>
        <role-name>ADMIN</role-name>
        <group-name>ADMIN</group-name>
    </security-role-mapping>
    <security-role-mapping>
        <role-name>USER</role-name>
        <group-name>USER</group-name>
    </security-role-mapping>
</jsp-config>

login.xhtml

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:h="http://xmlns.jcp.org/jsf/html">
<h:head>
    <title>Facelet Title</title>
</h:head>
<h:body>
    <p>Login to access secure pages:</p>
    <form method="POST" action="j_security_check">
        <h:panelGroup>
        <h:panelGrid columns="2">
            <h:outputLabel for="j_username" value="Username" />
            <input type="text" name="j_username" />

            <h:outputLabel for="j_password" value="Password" />
            <input type="password" name="j_password" />

            <h:outputText value="" />
            <h:panelGrid columns="2">
                <input type="submit" name="submit" value="Login" />
                <h:button outcome="index.xhtml" value="Cancel" />
            </h:panelGrid>
        </h:panelGrid>
            </h:panelGroup>
    </form>
</h:body>

glassfish-resources.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE resources PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Resource Definitions//EN" "http://glassfish.org/dtds/glassfish-resources_1_5.dtd">
<resources>
 <jdbc-resource enabled="true" jndi-name="jdbc/jdbcRealm" object-type="user" pool-name="RealmConnectionPool">
<description/>
</jdbc-resource>
<jdbc-connection-pool allow-non-component-callers="false" associate-with-thread="false" connection-  creation-retry-attempts="0" connection-creation-retry-interval-in-seconds="10" connection-leak-reclaim="false" connection-leak-timeout-in-seconds="0" connection-validation-method="auto-commit" datasource-classname="com.mysql.jdbc.jdbc2.optional.MysqlDataSource" fail-all-connections="false" idle-timeout-in-seconds="300" is-connection-validation-required="false" is-isolation-level-guaranteed="true" lazy-connection-association="false" lazy-connection-enlistment="false" match-connections="false" max-connection-usage-count="0" max-pool-size="32" max-wait-time-in-millis="60000" name="RealmConnectionPool" non-transactional-connections="false" pool-resize-quantity="2" res-type="javax.sql.DataSource" statement-timeout-in-seconds="-1" steady-pool-size="8" validate-atmost-once-period-in-seconds="0" wrap-jdbc-objects="false">
<property name="URL" value="jdbc:mysql://localhost:3306/jdbcrealmdemo?zeroDateTimeBehavior=convertToNull"/>
<property name="User" value="root"/>
<property name="Password" value=""/>
</jdbc-connection-pool>
</resources>

thanks for any help and Please I need to get this way of form authentication to work, i would prefer to it programmically, but my hands are tied at the moment.

cheers

codeMonkey
  • 31
  • 1
  • 3
  • So I have narrowed it down to the not working for some reason, the username and password are validating, however it is throwing HTTP 403 and not loading the requested page before the redirect to the login.xhtml page. What I am getting from this is that the is acting like which allows no one into requested pages. Getting close I think. – codeMonkey Nov 05 '14 at 18:00

3 Answers3

0

from what you posted, looks like a problem from your jdbcRealm. You should ensure your tables are well configured. Refer to the answer in this post which addresses setting up tables for realm authentication GlassFish JDBC Realm Group Membership

Community
  • 1
  • 1
ollaollu
  • 473
  • 7
  • 19
  • Sorry I should have posted the SQL for the tables. I do believe they are configure properly as I am using a view to access the tables which contains the user_id group_id and group_name but I will look into it and get to posting the SQL – codeMonkey Nov 05 '14 at 11:38
0

Seems this was the issue

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
   <class-loader delegate="true"/>
   <jsp-config>
       <property name="keepgenerated" value="true">
           <description>Keep a copy of the generated servlet class' java code.</description>
       </property>
       <security-role-mapping>
           <role-name>ADMIN</role-name>
           <group-name>ADMIN</group-name>
       </security-role-mapping>
       <security-role-mapping>
           <role-name>USER</role-name>
           <group-name>USER</group-name>
       </security-role-mapping>
   </jsp-config>
</glassfish-web-app>

Should be like this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
    <class-loader delegate="true"/>
    <jsp-config>
        <property name="keepgenerated" value="true">
            <description>Keep a copy of the generated servlet class' java code.</description>
        </property>
    </jsp-config>
    <security-role-mapping>
        <role-name>ADMIN</role-name>
        <group-name>ADMIN</group-name>
    </security-role-mapping>
    <security-role-mapping>
         <role-name>USER</role-name>
         <group-name>USER</group-name>
    </security-role-mapping>
</glassfish-web-app>

I had the nested in the so that there were essentially no Roles for the app, causing the HTTP 403 errors.

I hope this helps others in the future with similiar issues.

codeMonkey
  • 31
  • 1
  • 3
  • I am having same problem what is the data inputs you have done for User, Password info in table. – Bikram Nov 26 '16 at 07:26
0

See GLASSFISH-18901 ticket in JIRA. I also had this issue and was able to correct the code that was failing (invalid results of scan of security rules). Subsequent redirect to target page also fails which is the focus of the ticket noted above.

I should note that the ticket above is for version 3.1.2 and the fix for the problem was targeted originally for version 4.0.1 (which it doesn't appear is going to be released).

The ticket now is tagged for "future release" which probably means that it won't be fixed any time soon.

The patch I wrote to correct the authentication process is probably not suitable for the 4.1 code base as I believe they rewrote the entire process (leaving the bug in place it appears).

Gerry Cata
  • 1
  • 1