0

每当我访问生产服务器上的受保护页面(Debian 上的 Glassfish 3.1.2.2)时,我都会收到以下错误:

java.net.MalformedURLException: access denied ("org.osgi.framework.AdminPermission" "(id=222)" "resolve,resource")

根据服务器日志(见下文),错误是关于拒绝访问,但我的登录脚本(使用 JAAS)工作正常。

[#|2013-06-15T09:25:49.362-0400|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=86;_ThreadName=Thread-2;|START OF PHASE RESTORE_VIEW 1|#]

[#|2013-06-15T09:25:49.368-0400|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-2;|JACC Policy Provider:Failed Permission Check: context (" BFjsf/BFjsf ") , permission (" ("org.osgi.framework.AdminPermission" "(id=222)" "resolve,resource") ") |#]

[#|2013-06-15T09:25:49.371-0400|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=86;_ThreadName=Thread-2;|END OF PHASE RESTORE_VIEW 1|#]

[#|2013-06-15T09:25:49.374-0400|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=86;_ThreadName=Thread-2;|StandardWrapperValve[Faces Servlet]: PWC1406: Servlet.service() for servlet Faces Servlet threw exception

java.net.MalformedURLException: access denied ("org.osgi.framework.AdminPermission" "(id=222)" "resolve,resource")
at java.net.URL.<init>(URL.java:619)
at java.net.URL.<init>(URL.java:482)

令我惊讶的是,该错误不会发生在我的开发设置(Windows + Netbeans 7.3)上,而只会发生在具有有效 SSL 证书的在线服务器上。

每当我尝试访问具有安全约束的受保护页面时,就会出现问题,或者换句话说,当浏览器中显示的地址位于 /pages/... 目录下时(JSF 显示的地址始终是后面的页面)

例如https://labottedefoin.org/BFjsf/pages/membres/Lister.xhtml?cid=1

如 web.xml 文件的安全约束中所定义:

   <security-constraint>
        <display-name>Authentification</display-name>
        <web-resource-collection>
            <web-resource-name>pages securisees</web-resource-name>
            <url-pattern>/pages/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>usagers_actifs</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>Accueil securise</display-name>
        <web-resource-collection>
            <web-resource-name>accueil securise</web-resource-name>
            <url-pattern>/accueil_secure.xhtml</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>BF_realm_config</realm-name>
    </login-config>
    <security-role>
        <description>Rôle correspondant aux usagers ayant «membres_actifs» dans la colonne «groupes» de la table «membres_jaas_authen»</description>
        <role-name>usagers_actifs</role-name>
    </security-role>

我检查了 ~/glassfish/domains/domain1/config/server.policy 是否包含(默认情况下)osgi模块的授权:

// Felix classes get all permissions by default
grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
    permission java.security.AllPermission;
};

我尝试添加所需的权限(如下),但没有成功:

// Felix classes get all permissions by default
grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
    permission java.security.AllPermission;
    permission org.osgi.framework.AdminPermission "(id=222)", "resolve,resource";
};

也许权限未在正确的部分或正确的文件中授予。

有谁知道如何解决这个问题?提前致谢。

4

1 回答 1

0

我终于通过在通用 java.policy 文件中添加权限来解决我的问题。

即,我添加了以下行:

permission org.osgi.framework.AdminPermission "(id=222)", "resolve,resource";

在文件末尾

/usr/lib/jvm/jdk1.7.0_21/jre/lib/security/java.policy

于 2013-06-17T02:05:07.553 回答