User-Roles missing after login on Glassfish JDBC-Realm

StackOverflow https://stackoverflow.com/questions/11886497

Question

I have a jdbc-realm configured on Glassfish and i am trying to implement authentication for users with multiple roles. I am using JPA to manage the database tables, JDK 1.7, Glassfish3+, and EclipseLink (JPA 2.0).

I already can successfully login using FORM based authentication, but as a logged-in user i dont have any of the defined roles assigned.

My entity mapping on the relevant classes is

PersonAccount.java:

@Entity
@Table(name="PersonAccount") 
public class PersonAccount implements Serializable {

@Id
@NotNull
private String userName;       
private String passwordHash;        

@ManyToMany(cascade={CascadeType.PERSIST})
private Set<UserRole> userRoles = new HashSet<UserRole>();;

...

UserRole.java:

@Entity
@Table(name="UserRole") 
public class UserRole extends NamedEntity implements Serializable {

@Enumerated(EnumType.ORDINAL)
private persons.util.RoleType roleType = RoleType.StudentRole;

@ManyToMany(mappedBy="userRoles", cascade=
    {CascadeType.PERSIST, CascadeType.REMOVE})
private Set<PersonAccount> personAccounts = new HashSet<PersonAccount>(); 

...

where the base class NamedEntity defines a primary key "id" and a value "name", and "PersonAccount" itself is assigned to a "Person".

When creating the first (master admin) account "admin admin" the content of my database looks like this:

PERSONACCOUNT:
.USERNAME = admin
.PASSWORDHASH = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
.PERSON_ID = 220002

PERSONACCOUNT_USERROLE:
.PERSONACCOUNTS_USERNAME admin
.USERROLES_ID = 220001

USERROLE:
.ID = 220001
.NAME = AdminRole
.ROLETYPE = 3

After creating the account i can login with form-based authentication. The principal-name returned is "admin", but none of the user-roles "AdminRole", "FacultyRole", "TeacherRole" or "StudentRole" is assigned. This i can verify by trying to access one of the security protected pages.

Here the configurations of my application and glassfish:

web.xml:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>klops</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/login.xhtml?error=true</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <description>Administrators</description>
    <role-name>AdminRole</role-name>
</security-role>
<security-role>
    <description>Faculty</description>
    <role-name>FacultyRole</role-name>
</security-role>    
<security-role>
    <description>Teachers</description>
    <role-name>TeacherRole</role-name>
</security-role>
<security-role>
    <description>Students</description>
    <role-name>StudentRole</role-name>
</security-role>

glassfish-web.xml

<security-role-mapping>
    <principal-name>admin</principal-name>      
    <role-name>AdminRole</role-name>
    <group-name>AdminRole</group-name>
</security-role-mapping>
<security-role-mapping>
    <principal-name>teacher</principal-name>
    <role-name>TeacherRole</role-name>
    <group-name>TeacherRole</group-name>
</security-role-mapping>
<security-role-mapping>
    <role-name>StudentRole</role-name>
    <group-name>StudentRole</group-name>
    <principal-name>student</principal-name>
</security-role-mapping>
<security-role-mapping>
    <principal-name>faculty</principal-name>
    <role-name>FacultyRole</role-name>
    <group-name>FacultyRole</group-name>
</security-role-mapping>

And finally, the realm configuration:

    <auth-realm name="myjdbcrealm" classname="com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm">
      <property name="jaas-context" value="jdbcRealm"></property>
      <property name="password-column" value="passwordhash"></property>
      <property name="assign-groups" value="AdminRole,FacultyRole,TeacherRole,StudentRole"></property>
      <property name="datasource-jndi" value="jdbc/__default"></property>
      <property name="user-table" value="personaccount"></property>
      <property name="group-table" value="userrole"></property>
      <property name="user-name-column" value="username"></property>
      <property name="group-name-column" value="name"></property>
      <property name="digest-algorithm" value="SHA-256"></property>
    </auth-realm>

I am kind of baffled by the fact that some of the information is found (i can only login with the created account, and only with the correct password), but when im logged in, the user context does not seem to possess any roles.

I have searched everywhere and tried for nearly a day now, but i cannot find the error here. It would even help to be able to list the roles a connected user has at the moment, but it seems the only way to check for a role is by knowing its name using

FacesContext.getCurrentInstance().getExternalContext().
    isUserInRole("AdminRole"));

Help on this problem would be greatly appreciated :)

Thanks,

Patrick

EDIT:

I created a view USER_ACCOUNTS which contains UserRole.name as UserName and PersonAccount_Userrole.username as UserName and changed the realm mapping accordingly, but i still get the same results. If the username equals the principal-name in the security role mapping, the user has all of the 4 roles. If i remove the principal-name from the mapping the user has no roles at all after logging in.

Now tables contents and configuration are:

PERSONACCOUNT: (Table)
.USERNAME = admin
.PASSWORDHASH = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
.PERSON_ID = 220002

USER_ACCOUNTS: (View)
.USERNAME = admin
.ROLENAME = AdminRole

and

  <property name="password-column" value="passwordhash"></property>
  <property name="assign-groups" value="AdminRole,FacultyRole,TeacherRole,StudentRole"></property>
  <property name="user-table" value="personaccount"></property>
  <property name="group-table" value="user_accounts"></property>
  <property name="user-name-column" value="username"></property>
  <property name="group-name-column" value="rolename"></property>
  <property name="digest-algorithm" value="SHA-256"></property>
Était-ce utile?

La solution

Given your auth-realm definition (which I'm assuming is valid for the moment), I'd expect to see two tables (with minimum information similar to):

CREATE TABLE `personaccount` (
  `username` varchar(32) NOT NULL,
  `passwordhash` varchar(64) DEFAULT NULL,
  PRIMARY KEY (`username`)
);

CREATE TABLE `userrole` (
  `username` varchar(32) NOT NULL,
  `name` varchar(32) DEFAULT NULL, -- role name
  PRIMARY KEY (`username`,`name`) -- allow multiple roles per user
);

Note that the username column has the same (column) name in both tables.

I see that you have three tables: 

PERSONACCOUNT
PERSONACCOUNT_USERROLE
USERROLE

If you want to preserve that structure, then create a view to map the PERSONACCOUNT_USERROLE and USERROLE tables into something looks like the group table shown above, and make that view your group-table.

I can confirm that this view-based strategy works with Glassfish 3.1.X and MySQL; it may not be portable to other app-servers.

Not sure what you're trying to accomplish with your security-role-mapping including the principal name, other than possibly trying to work around the missing roles from the JDBC Realm.

Likewise, the purpose of the realm property assign-groups is to establish a set of groups that are always defined for all users. I gather from your later comments this behavior was unexpected; this is apparently the cause.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top