问题
Version: GlassFish Server 3.1.2.2 (build 5)
I have an EAR
project which contains a WAR
and a single EAR
.
In the META-INF
folder of the EAR, I have a sun-application.xml
file which maps a selection of roles to groups.
In the default file realm for Glassfish
, I have configured users which map to these groups.
I am not using Default Role to Mapping and I have not actived the Security Manager.
Access works perfectly. This is further proven by removing the deployment descriptor, which causes an Authorization exception when trying to log in without it.
However when trying to access a seemingly random (but consistent) selection of my EJBs, I am greated with the infamous Glassfish "javax.ejb.AccessLocalException: Client not authorized for this invocation
" exception.
I have tried to delete my generated Policy files and redeploy the server, but this does not work.
When I look into the Policy file for my EJB, straight away I notice that the afflicted EJB grants are missing.
It would appear that one or two roles per group as defined in the sun-application.xml file are being missed.
Why would Glassfish fail to generate a complete policy file from a (proven) working sun-application.xml
and (proven) set of @RolesAllowed
definitions?
Here's the deployment descriptor:
<!DOCTYPE sun-application PUBLIC "-//Sun Microsystems, Inc.//DTD
GlassFish Application Server 3.0 Java EE Application 6.0//EN"
"http://www.sun.com/software/appserver/dtds/sun-application_6_0-0.dtd">
<sun-application>
<security-role-mapping>
<role-name>ViewAllData</role-name>
<role-name>BasicUser</role-name>
<group-name>BasicGroup</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>DataSupervisor</role-name>
<group-name>DatasetSupervisors</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>FindData</role-name>
<role-name>FindSubData</role-name>
<group-name>DatasetUsers</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ManageData</role-name>
<role-name>ManageSubData</role-name>
<role-name>InvokeDataload</role-name>
<group-name>DatasetManagers</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ResolveGroup1</role-name>
<role-name>ResolveGroup2</role-name>
<role-name>ResolveGroup3</role-name>
<group-name>Decoders</group-name>
</security-role-mapping>
</sun-application>
For some reason, the roles ResolveGroup1
and ViewAllData
are missing from the EJB granted.policy file, despite appearing in a couple of EJBs:
@RolesAllowed({"ResolveGroup1"})
@Stateless(mappedName = "ejb/FindGroupOneController")
@Local(FindRegistrationFragmentController.class)
@Interceptors(SpringBeanAutowiringInterceptor.class)
public class FindGroupOneControllerImpl implements FindGroupOneController{
@RolesAllowed({"ViewAllData"})
@Stateless(mappedName = "ejb/ViewDataController")
@Local(FindRegistrationFragmentController.class)
@Interceptors(SpringBeanAutowiringInterceptor.class)
public class ViewDataControllerImpl implements ViewDataController{
回答1:
Unless someone can tell me otherwise, it looks like the reason I was having problems is because you may use only one <role-name>
per <security-role-mapping>
.
来源:https://stackoverflow.com/questions/17423718/why-would-glassfish-generate-an-incomplete-granted-policy-file