I get this result from netbeans fiberglass output window when a request is made from the Internet to the login page:
INFO: JACC policy provider: permission check error: context ("WebApplication2 / WebApplication2"), permission ("(" javax.security.jacc.WebUserDataPermission "/login.xhtml" "GET") ")
This does not happen when a request is made from the local network or local host, and the page is served over HTTPS as needed.
I am trying to configure a login page to use transport layer security to protect user passwords during a login request. I hope this can be achieved using only the Faces servlevel with declarative security in the web.xml deployment descriptor.
I am using form-based authentication with a custom Facelet form without j_security_check to login through the request.login method. The login form has the following security restriction in web.xml:
<security-constraint> <display-name>secure login</display-name> <web-resource-collection> <web-resource-name>login.xhtml</web-resource-name> <description/> <url-pattern>/login.xhtml</url-pattern> </web-resource-collection> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
There is no restriction of authority element since this form is obviously intended for unauthenticated users. The only reason there is a security restriction is because the subitem can be set to CONFIDENTIAL, which provides a secure connection.
The Java EE 6 tutorial states here that:
If there is no authorization restriction, the container should accept the request without user authentication
and
User data restriction is conveniently combined with basic and form-based user authentication. When the login authentication method is set to BASIC or FORM, passwords are not protected, which means that passwords sent between the client and server in an insecure session can be viewed and intercepted by third parties. Using user data restrictions through a user authentication mechanism can alleviate this problem. Configuring a user authentication mechanism is described in the "Defining an Authentication Mechanism in a Deployment Descriptor" section.
Why does the JACC perform a rights check if access to this resource does not require such a check? Why does this come only from the Internet and not from the local network?