[SOLVED] Why would Glassfish generate an incomplete granted.policy file?

Why would Glassfish generate an incomplete granted.policy file?

Version: GlassFish Server 3.1.2.2 (build 5)

I have an EAR project which contains a WAR and a single EAR.

In the META-INF folder of the EAR, I have a sun-application.xml file which maps a selection of roles to groups.

In the default file realm for Glassfish, I have configured users which map to these groups.

I am not using Default Role to Mapping and I have not actived the Security Manager.

Access works perfectly. This is further proven by removing the deployment descriptor, which causes an Authorization exception when trying to log in without it.

However when trying to access a seemingly random (but consistent) selection of my EJBs, I am greated with the infamous Glassfish "javax.ejb.AccessLocalException: Client not authorized for this invocation" exception.

I have tried to delete my generated Policy files and redeploy the server, but this does not work.

When I look into the Policy file for my EJB, straight away I notice that the afflicted EJB grants are missing.

It would appear that one or two roles per group as defined in the sun-application.xml file are being missed.

Why would Glassfish fail to generate a complete policy file from a (proven) working sun-application.xml and (proven) set of @RolesAllowed definitions?

Here's the deployment descriptor:

<!DOCTYPE sun-application PUBLIC "-//Sun Microsystems, Inc.//DTD 
GlassFish Application Server 3.0 Java EE Application 6.0//EN" 
"http://www.sun.com/software/appserver/dtds/sun-application_6_0-0.dtd">
<sun-application>



<security-role-mapping>
    <role-name>ViewAllData</role-name>
    <role-name>BasicUser</role-name>
    <group-name>BasicGroup</group-name>
</security-role-mapping>

<security-role-mapping>
    <role-name>DataSupervisor</role-name>
    <group-name>DatasetSupervisors</group-name>
</security-role-mapping>

<security-role-mapping>
    <role-name>FindData</role-name>
    <role-name>FindSubData</role-name>
    <group-name>DatasetUsers</group-name>
</security-role-mapping>

<security-role-mapping>
    <role-name>ManageData</role-name>
    <role-name>ManageSubData</role-name>
    <role-name>InvokeDataload</role-name>
    <group-name>DatasetManagers</group-name>
</security-role-mapping>


<security-role-mapping>
    <role-name>ResolveGroup1</role-name>
    <role-name>ResolveGroup2</role-name>
    <role-name>ResolveGroup3</role-name>
    <group-name>Decoders</group-name>
</security-role-mapping>
</sun-application>

For some reason, the roles ResolveGroup1 and ViewAllData are missing from the EJB granted.policy file, despite appearing in a couple of EJBs:

@RolesAllowed({"ResolveGroup1"})
@Stateless(mappedName = "ejb/FindGroupOneController")
@Local(FindRegistrationFragmentController.class)
@Interceptors(SpringBeanAutowiringInterceptor.class)
public class FindGroupOneControllerImpl implements FindGroupOneController{


@RolesAllowed({"ViewAllData"})
@Stateless(mappedName = "ejb/ViewDataController")
@Local(FindRegistrationFragmentController.class)
@Interceptors(SpringBeanAutowiringInterceptor.class)
public class ViewDataControllerImpl implements ViewDataController{

Solution

Unless someone can tell me otherwise, it looks like the reason I was having problems is because you may use only one <role-name> per <security-role-mapping>.