GlassFish - World's first Java EE 7 Application Server


Main Previous Next

Security Problems

This chapter covers problems that you may encounter as a result of Application Server security settings.

[

Unknown macro: {TableOfContents title='On This Page'}

|(TableOfContentstitle='OnThisPage')]

java.security.AccessControlException: Access Denied Error

  • Description
    \The following error occurs from an application client or in the server.log:\\\\\~UWC_TOKEN_START~1278691906995~UWC_TOKEN_END
    \There is a permissions issue in the policy files. Either the client.policy for the application client or the server.policy for server side components does not have permission to set the property.
  • Solution
    \Add the permission in client.policy (for the application client), or in server.policy (for EJB/web modules) for the application that needs to set the property. By default, applications only have "read" permission for properties.
    \For example, to grant read/write permission for all the files in the codebase directory, add or append the following to client.policy or server.policy:\ 
    grant codeBase "file:/.../build/sparc_SunOS/sec/-" {
   permission java.util.PropertyPermission "*", "read,write";
 };

Top of Page

javax.ejb.AccessLocalException: Client Not Authorized Error

  • Description
    \Role-mapping information is available in Sun-specific XML (for example, sun-ejb-jar.xml), and authentication is okay, but the following error message is displayed:\ 
    [...INFO|sun-appserver-pe8.0|javax.enterprise.system.container.ejb|...|
javax.ejb.AccessLocalException: Client not authorized for this invocation.
at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:...
at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(...)
  • Solution
    \Check whether the EJB module (.jar) or web module (.war) is packaged in an application (.ear) and does not have role-mapping information in application level, Sun-specific, sun-application.xml. For any application (.ear), security role-mapping information must be specified in sun-application.xml. It is acceptable to have both module-level XML and application-level XML.

Top of Page

Authentication is Not Working With the Solaris Realm

Check whether the installation and server startup was performed as a local user, instead of as the root user. Always start the Application Server as the root user, because the Solaris realm works only with the root user. It was not designed to work with any other local user. Note also that role mapping can happen on the local user.

Top of Page

Mutual Authentication Not Working With the Application Client

  • Description
    \This failure can occur when the keystore and truststore properties are not set properly.
  • Solution
    \Set the following properties on the JVM:\\\\\~UWC_TOKEN_START~1278691906998~UWC_TOKEN_END
    \To use the application client, set the environment variable VMARGS to the following value:\ 
    -Djavax.net.ssl.keyStore=
${admin.domain.dir}/${admin.domain}/config/keystore.jks
-Djavax.net.ssl.trustStore=
${admin.domain.dir}/${admin.domain}/config/cacerts.jks

Main Previous Next