ProgrammaticLogin doesn't work

Question

I have enterprise application and enterprise client application (I use glassfish server). What I should do in order to use ProgrammaticLogin in client application? Every blog or book describes how to create tables in database, jdbc realm on glassfish, and mappings role-group. And that's all. The official Oracle site says that:

The ProgrammaticLoginPermission permission is required to invoke the programmatic login mechanism for an application if the security manager is enabled. For information about the security manager, see The server.policy File. This permission is not granted by default to deployed applications because this is not a standard Java EE mechanism.

To grant the required permission to the application, add the following to the domain-dir/config/server.policy file:

grant codeBase "file:jar-file-path" { permission com.sun.appserv.security.ProgrammaticLoginPermission "login"; };

but I didn't find any examples concerning it, so I'm not sure if it is obligatory. What is more, I guess there should be a step where I would tell ProgrammaticLogin which realm to use? Right now, ProgrammaticLogin always returns true (for wrong passwords too) and I'm sure it's because none of tutorials describes all necessary steps.

Answer 1

Trying the same thing myself. Also funny is from what I've found out so far on the web, all of the methods specified in javaee5 spec for this api are now deprecated and methods with char[] arg1 (instead of String password) are specified ready for use. There is no api info whatsoever on these methods and simple password.toCharArray() does not work at all.

On the other hand login works for me though partially. Though it always returns true it does throw an exception when login fails. But I think it does not perform the login itself, container still asks me to login even after performing Login function of ProgrammaticLogin. I am using this within the web container and I guess this could be because I am not using the functions which provide HttpServletRequest and Response... I've added the permission in Glassfish domain's server.policy though like this:

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/-" {
    permission com.sun.appserv.security.ProgrammaticLoginPermission
    "login";
};
grant codeBase "file:${com.sun.aas.instanceRoot}/eclipseApps/-" {
    permission com.sun.appserv.security.ProgrammaticLoginPermission
    "login";
};

edit: I have given up on this way of doing the login, at least for the web container. This might still be useful for authenticating EJB or something like that, that part at least probably will work.

For my part I just used BalusC's answer from here Performing user authentication in Java EE / JSF using j_security_check (using HttpServletRequest.login() of servlet 3.0), the other high-voted one probably will do the trick too.