403 error occurs when Form-Authentication succeeded PAYARA-1244 #1213

Closed
MasatoshiTada opened this Issue Nov 30, 2016 · 4 comments

Projects

None yet

4 participants

@MasatoshiTada

Description


I created simple Form-Authentication sample (below).
https://github.com/MasatoshiTada/form-authentication-sample
When username and password are valid, 403 error occurs.

Expected Outcome

When username and password are valid, my sample will show protected.jsp.
(About valid username and password, please look .sql file below.)
2016-11-30 09 48 09
2016-11-30 09 48 21

Screenshots above are case of Payara 162.
Payara 164 is configured properly (JDBC resource, realm, and so on), because my sample works in Payara 162 (like above) and I use same setup-script (below) to configure Payara 162 and Payara 164.

Current Outcome

When username and password are valid, application shows /WEB-INF/403.jsp.
2016-11-30 09 49 10

Steps to reproduce (Only for bug reports)

1 -** Install Payara from ZIP file

unzip payara-web-ml-4.1.1.164.zip
mv payara41 payara164

2 -** Run setup script
Please use .sh file below. This file is PROJECT_ROOT/setup-payara.sh.
I use this .sh file to configure Payara 162, too.

# PAYARA_HOME=/path/to/payara (162 or 164)
export PAYARA_HOME=~/Java/ap-server/payara164

# copy JDBC driver
cp ~/Java/JDBC/postgresql-9.4.1212.jar $PAYARA_HOME/glassfish/lib

$PAYARA_HOME/bin/asadmin start-domain domain1

# create JDBC pool
$PAYARA_HOME/bin/asadmin create-jdbc-connection-pool --datasourceclassname org.postgresql.xa.PGXADataSource --restype javax.sql.XADataSource --property url=jdbc\\:postgresql\\://localhost\\:5432/ex:user=user:password=password ExPool

# ping
$PAYARA_HOME/bin/asadmin ping-connection-pool ExPool

# create JDBC resource
$PAYARA_HOME/bin/asadmin create-jdbc-resource --connectionpoolid ExPool jdbc/ex

# enable default-principal-to-role-mapping
$PAYARA_HOME/bin/asadmin set server-config.security-service.activate-default-principal-to-role-mapping=true

# create realm
$PAYARA_HOME/bin/asadmin create-auth-realm --classname com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm \
--property jaas-context=jdbcRealm:datasource-jndi=jdbc/ex:user-table=users:\
user-name-column=login_id:password-column=encrypt_password:group-table=user_roles:\
group-name-column=role_name:digest-algorithm=SHA-256:\
digestrealm-password-enc-algorithm=digest-algorithm:encoding=Hex:charset=UTF-8 customer

$PAYARA_HOME/bin/asadmin stop-domain domain1

3 -** Prepare PostgreSQL

I use PostgreSQL 9.4.4.
Please use .sql file below.

CREATE TABLE users
(
    login_id VARCHAR(128) PRIMARY KEY,
    encrypt_password VARCHAR(128),
    name VARCHAR(128)
);

CREATE TABLE user_roles
(
    login_id VARCHAR(128),
    role_name VARCHAR(128)
);

-- password is "password"
INSERT INTO users VALUES('adminA', '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8', 'adminA');
INSERT INTO users VALUES('adminB', '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8', 'adminB');

INSERT INTO user_roles(login_id, role_name) VALUES('adminA', 'ADMINISTRATOR');
INSERT INTO user_roles(login_id, role_name) VALUES('adminB', 'ADMINISTRATOR');

4 -** Build, deploy, run

mvn clean package
# deploy .war with asadmin or IDE

5 -** Access

Access https://localhost:8181/sample/ with the browser, and input valid username and password.
USERNAME is "adminA" or "adminB", and PASSWORD is "password".
2016-11-30 09 48 09

6 -** Result

Browser shows /WEB-INF/403.jsp(configured in web.xml <error-page> of 403 error).
2016-11-30 10 11 50

7 -** Case of invalid username and password

Browser shows /WEB-INF/login_error.jsp(configured in web.xml <form-error-page>).
This is correct behavior. Of course, it works in Payara 162, too.
2016-11-30 10 19 45

Samples

https://github.com/MasatoshiTada/form-authentication-sample

.sql file and .sh file are included in the project root.

Environment

  • Payara Version: 4.1.1.164 (This bug does not occur in Payara 162)
  • Edition: Web ML
  • JDK Version: Oracle JDK8u112
  • Operating System: macOS Sierra, Windows 7
@fturizo fturizo self-assigned this Dec 1, 2016
@smillidge
Contributor

This is a known issue the default role mapping security setting is broken in 164. This will be fixed soon.

This has no effect in 164 it is a bug. $PAYARA_HOME/bin/asadmin set server-config.security-service.activate-default-principal-to-role-mapping=true

You can add a role mapping into glassfish-web.xml or add the default role mapping setting as discussed here.
https://payara.gitbooks.io/payara-server/content/documentation/extended-documentation/app-deployment/descriptor-elements.html

@smillidge smillidge added this to the Payara 4.1.1.171 milestone Dec 1, 2016
@OndrejM OndrejM changed the title from 403 error occurs when Form-Authentication succeeded to 403 error occurs when Form-Authentication succeeded PAYARA-1244 Dec 1, 2016
@mikecroft mikecroft added the 2:WithDev label Dec 2, 2016
@mikecroft
Contributor

PAYARA-1244

@MasatoshiTada

Thank you so much!
I added glass fish-web.xml, and I found Form-Authentication succeeded properly.
MasatoshiTada/form-authentication-sample@40ede4f

@smillidge
Contributor

Fixed by #1218

@smillidge smillidge closed this Dec 14, 2016
@fturizo fturizo removed the 2:WithDev label Dec 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment