12 Replies Latest reply on Jan 26, 2012 2:22 PM by Udo

    listenerAdmin not working in Glassfish

    FMignault
      After installing Glassfish and the APEX Listener on different servers (all windows 2003) for two different customers, I always have an issue with listenerAdmin

      Here is how I do my install :

      1- install glassfish by installing Java EE 6 SDK Update 3 with JDK 7 Update 1 .

      2- I follow , exactly, the documented install procedure. I create the adminlistener in Admin group and managerlistener in Manager group in default-config / security / realm / file / manage users

      3- I change de default location of the configuration files in web.xml in C:\glassfish3\glassfish\domains\domain1\applications\apex\WEB-INF

      4- I stop and restart glassfish and reload apex

      5- Default role to mapping is checked in default-config / security

      6- I am able to run the listenerConfigure without any problems, the config files goes to the new directory specified in web.xml

      7- Apex is running fine , but listenerAdmin gives me an http 403 error ! ?

      The question is :

      Why is listenerAdmin not working ? It prompts me for a username / pass , I enter the adminlistener and get the following error : HTTP Status 403 - Access to the requested resource has been denied

      It does that on all my installs on windows 2003 with glassfish 3.1.1 and apex listener version 1.1.3.243.11.40


      Thanks

      Francis.
        • 1. Re: listenerAdmin not working in Glassfish
          Rafi (Oracle DBA)
          Hi Francis,
          The below link will be useful in resolving the issue.

          can't logon to listeneradmin url





          Best regards,

          Rafi.
          • 2. Re: listenerAdmin not working in Glassfish
            Udo
            And what about this thread: {thread:id=2308949}, especially the answers to my questions in {message:id=10008325}
            Please only leave one thread open. As we started troubleshooting in the other thread before, I suggest to follow up there and close this thread.

            Thanks,

            Udo
            • 3. Re: listenerAdmin not working in Glassfish
              FMignault
              Hi Udo,

              I tought that the other thread was more confusing that anything else. I will close it.

              This issue is now happening on 3 different installs , on windows 2003.

              I did assign the Admin (with uppercase A) group to the user adminlistener and the Manager group to managerlistener
              and neither of them are able to run the listenerAdmin page... I still get a 403.

              And I did change the web.xml so that the config is stored in a safe place instead of the temp directory.

              Thanks

              Francis.
              • 4. Re: listenerAdmin not working in Glassfish
                FMignault
                Hi Udo,

                Here is what I changed in C:\glassfish3\glassfish\domains\domain1\applications\apex\WEB-INF\web.xml , I removed the comments and set the directory of config.dir .

                <web-app id="WebApp_ID" version="2.4"
                     xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
                     <display-name>ApexMod</display-name>

                     <context-param>
                          <param-name>config.dir</param-name>
                          <param-value>C:/app/dba/admin/PROD/apex</param-value>
                     </context-param>
                     <context-param>
                          <param-name>version</param-name>
                          <param-value>1.1.3.243.11.40</param-value>
                     </context-param>

                I did that before even running the listener , and it created the config.xml in that new directory.


                Francis.
                • 5. Re: listenerAdmin not working in Glassfish
                  Udo
                  Hi Francis,

                  thanks for "cleaning up". If you like, you could edit your last post there to link a follow up to this thread. ;)

                  The configuration of the config.dir looks okay to me. I'd expect the APEX Listener to use the config file from that location.

                  Anyway, this part shouldn't have any impact on the 403 you get for listenerAdmin, which is why I still suggest you should do the checks I posted in the other thread:

                  - Does your server instance really use the default-configuration or is it actually a non-default one, e.g. server-configuration ? You have to be sure to configure the Realm in the right configuration.
                  - Is the Realm you created the users in ( file ) actually the default Realm of your configuration?
                  - Did you assign the groups Admin and Manager to that Realm?
                  - Is the Security option "Default Principal To Role Mapping" in your configuration activated and you've (re)deployed the application afterwards?

                  As far as I know, you didn't post any results on these points yet.

                  -Udo
                  • 6. Re: listenerAdmin not working in Glassfish
                    FMignault
                    Hi Udo,

                    Thanks a lot for your help.

                    Here are my anwsers to your questions :

                    Q- Does your server instance really use the default-configuration or is it actually a non-default one, e.g. server-configuration ? You have to be sure to configure the Realm in the right configuration.
                    A- How do I make sure that the server instance really uses the default-configuration ?

                    Q- Is the Realm you created the users in ( file ) actually the default Realm of your configuration?
                    A- Yes, I configured the security in default-config. And when I check in the server-config realm , the users are also there.

                    Q- Did you assign the groups Admin and Manager to that Realm?
                    A- I tought that by setting the group at the user level was enough (Default-config /security / Realms / file / manage users) . Is there a configuration where I have to directly assign the Admin group to the Realm ?

                    Q- Is the Security option "Default Principal To Role Mapping" in your configuration activated and you've (re)deployed the application afterwards?
                    A- Yes


                    Francis.
                    • 7. Re: listenerAdmin not working in Glassfish
                      FMignault
                      Hi Udo,

                      Here is a snapshot of my default-config in Glassfish : http://twitpic.com/7ws1lt



                      Francis.
                      • 8. Re: listenerAdmin not working in Glassfish
                        Udo
                        Hi Francis,

                        thanks for answering so well-structured.
                        Q- Does your server instance really use the default-configuration or is it actually a non-default one, e.g. server-configuration ? You have to be sure to configure the Realm in the right configuration.
                        A- How do I make sure that the server instance really uses the default-configuration ?
                        Go to the Configurations node. You'll see a table with configurations you have (e.g. default-config, server-config ) and the instances that use it (e.g. the default "server" instance, which should be running).
                        Q- Is the Realm you created the users in ( file ) actually the default Realm of your configuration?
                        A- Yes, I configured the security in default-config. And when I check in the server-config realm , the users are also there.
                        Okay. Just to make sure: When you click on the Security node of your configuration, file is the value selected in the drop-down list for Default Realm, right?
                        Q- Did you assign the groups Admin and Manager to that Realm?
                        A- I tought that by setting the group at the user level was enough (Default-config /security / Realms / file / manage users) . Is there a configuration where I have to directly assign the Admin group to the Realm ?
                        When you go to .../Security/Realms/file you'll find a text field "Assign Groups". Did you ever enter something there? (It was never necessary in my installations. In contrary, I once did and could not remove that assignment ever after, so I guess this function is somewhat buggy and hence should be left alone...)
                        Q- Is the Security option "Default Principal To Role Mapping" in your configuration activated and you've (re)deployed the application afterwards?
                        A- Yes
                        Okay.
                        And I assume, you've already tried very simple passwords like test or similar before, right?

                        So, what I've learned from other threads is that both listenerStatus and listenerAdmin use the same realm for basic authentication ("APEX"). If your browser stores your authentication information for one of these realms (which it usually does) and you try to enter the other part, it resends these information, which can lead to a 403 (as discussed in {thread:id=2296251}).
                        Possibly this caching is even instance-independent (as the realm doesn't include any host/instance/... information), so if you've entered different credentials for another instance, this could be an explanation as well. Could you try to erase any entry concerning APEX Listener from your browser cache? Or try a different browser you ususally don't use, perhaps even a portable version of Firefox or something like that, where you can be sure you have a fresh start and can safely abandon everything once you've done?
                        This would be a very interesting "extension" of that unfavorable behaviour caused by the realm...

                        -Udo
                        • 9. Re: listenerAdmin not working in Glassfish
                          FMignault
                          Hi Udo,

                          Thanks for your help. I really would like to resolve that issue since this is a production setup.
                          Sorry for the long delay for my response , but I was out of the office for the Holidays ;) (Happy new year !)

                          Ok , I checked everything, and I am still not able to figure out why I cannot access the listenerAdmin page.

                          Udo wrote:
                          Hi Francis,

                          thanks for answering so well-structured.
                          Q- Does your server instance really use the default-configuration or is it actually a non-default one, e.g. server-configuration ? You have to be sure to configure the Realm in the right configuration.
                          A- How do I make sure that the server instance really uses the default-configuration ?
                          Go to the Configurations node. You'll see a table with configurations you have (e.g. default-config, server-config ) and the instances that use it (e.g. the default "server" instance, which should be running).
                          It says : server-config server Running

                          Q- Is the Realm you created the users in ( file ) actually the default Realm of your configuration?
                          A- Yes, I configured the security in default-config. And when I check in the server-config realm , the users are also there.
                          Okay. Just to make sure: When you click on the Security node of your configuration, file is the value selected in the drop-down list for Default Realm, right?
                          Yes .
                          Q- Did you assign the groups Admin and Manager to that Realm?
                          A- I tought that by setting the group at the user level was enough (Default-config /security / Realms / file / manage users) . Is there a configuration where I have to directly assign the Admin group to the Realm ?
                          When you go to .../Security/Realms/file you'll find a text field "Assign Groups". Did you ever enter something there? (It was never necessary in my installations. In contrary, I once did and could not remove that assignment ever after, so I guess this function is somewhat buggy and hence should be left alone...)
                          Nothing in Assign Groups
                          Q- Is the Security option "Default Principal To Role Mapping" in your configuration activated and you've (re)deployed the application afterwards?
                          A- Yes
                          Okay.
                          And I assume, you've already tried very simple passwords like test or similar before, right?
                          Yes , I even tried with another user in the Admin group without password , and still getting this 403 error :(
                          So, what I've learned from other threads is that both listenerStatus and listenerAdmin use the same realm for basic authentication ("APEX"). If your browser stores your authentication information for one of these realms (which it usually does) and you try to enter the other part, it resends these information, which can lead to a 403 (as discussed in {thread:id=2296251}).
                          Possibly this caching is even instance-independent (as the realm doesn't include any host/instance/... information), so if you've entered different credentials for another instance, this could be an explanation as well. Could you try to erase any entry concerning APEX Listener from your browser cache? Or try a different browser you ususally don't use, perhaps even a portable version of Firefox or something like that, where you can be sure you have a fresh start and can safely abandon everything once you've done?
                          There are no other installs on that server and I tried with a new install of Firefox . Still get this damn 403 error.
                          It really looks like there is some problem with the permissions. But everything seems ok... I don't know what else to check or if there would be any log files that would give me more details about that 403 when trying to access listenerAdmin.

                          Francis.
                          • 10. Re: listenerAdmin not working in Glassfish
                            Udo
                            Hi Francis,

                            it took me some days to think about that issue, and I'm really close to the end of options...
                            (BTW: Happy new year for you as well! ;) )

                            So after all, the general setup on your GlassFish seems to be as it has to be. I see two more points that could be worth a check:

                            a) Did you modify the web.xml of your APEX Listener? Possibly you've coincidentally hit some key at a point where it disturbs the predefined mapping. I know this sounds very unlikely, but as I told you before, there's not much more that I could think of, and I've seen such things happen, especially when people use a text based editor like vi - some punch of "a" or "i" to much at some place is sometimes hard to notice...

                            b) Does your JDK have non-standard policies? Perhaps there is some policy that blocks the authentication mechanism from working. Of course, you should see corresponding errors in the server/application log. Is there anything that indicates such kind of error in your logs?

                            And as of reviewing your initial post, a third option comes into my mind:
                            c) Perhaps some Win 2003 specific issue is causing that problem. Have you ever tried to configure the APEX Listener on a Windows workstation? After all,the basic GlassFish "installation" is just unzipping and starting it. That's how I maintain to have a simple reference on my laptop, and deploying APEX Listener to it worked without problems for me.

                            I hope one of these three points is the cause, can be eliminated and you get your APEX Listener fully operational.

                            -Udo
                            • 11. Re: listenerAdmin not working in Glassfish
                              FMignault
                              Hi Udo,
                              a) Did you modify the web.xml of your APEX Listener? Possibly you've coincidentally hit some key at a point where it disturbs the predefined mapping. I know this sounds very unlikely, but as I told you before, there's not much more that I could think of, and I've seen such things happen, especially when people use a text based editor like vi - some punch of "a" or "i" to much at some place is sometimes hard to notice...
                              I checked , and everything seems fine. We actually had to re-install everything due to a Disk Crash , and I reconfigured the APEX Listener in Glassfish. I was very careful with the configuration and the modification of the WEB.XML file. Unfortunately , I am not able to run the listenerAdmin page. listenerConfigure ran fine and created the config files in the new location.

                              b) Does your JDK have non-standard policies? Perhaps there is some policy that blocks the authentication mechanism from working. Of course, you should see corresponding errors in the server/application log. Is there anything that indicates such kind of error in your logs?
                              Here is what I found in the log :
                              [#|2012-01-23T11:33:40.659-0500|INFO|glassfish3.1.1|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=1;_ThreadName=Thread-2;|GlassFish Server Open Source Edition 3.1.1 (12) heure de démarrage : Felix (1 984ms), services de démarrage(7 282ms), total(9 266ms)|#]

                              [#|2012-01-23T11:33:40.737-0500|INFO|glassfish3.1.1|javax.enterprise.system.tools.admin.com.sun.enterprise.container.common|_ThreadID=66;_ThreadName=Thread-2;|L’utilisateur [] de l’hôte tvhoraire ne dispose pas d’un accès d’administration, ou bien le nom d’utilisateur ou le mot de passe fourni est incorrect.|#]

                              [#|2012-01-23T11:33:40.909-0500|INFO|glassfish3.1.1|javax.enterprise.system.tools.admin.org.glassfish.server|_ThreadID=74;_ThreadName=Thread-2;|JMXStartupService: Started JMXConnector, JMXService URL = service:jmx:rmi://tvhoraire:8686/jndi/rmi://tvhoraire:8686/jmxrmi|#]

                              [#|2012-01-23T11:33:47.909-0500|INFO|glassfish3.1.1|javax.enterprise.resource.webcontainer.jsf.config|_ThreadID=64;_ThreadName=Thread-2;|Initialisation de Mojarra 2.1.3 (FCS b02) pour le contexte «»|#]

                              [#|2012-01-23T11:33:49.221-0500|INFO|glassfish3.1.1|org.hibernate.validator.engine.resolver.DefaultTraversableResolver|_ThreadID=64;_ThreadName=Thread-2;|Instantiated an instance of org.hibernate.validator.engine.resolver.JPATraversableResolver.|#]

                              [#|2012-01-23T11:33:50.362-0500|INFO|glassfish3.1.1|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=64;_ThreadName=Thread-2;|WEB0671: Loading application [__admingui] at []|#]

                              [#|2012-01-23T11:33:50.362-0500|INFO|glassfish3.1.1|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=64;_ThreadName=Thread-2;|CORE10010: Loading application __admingui done in 9 703 ms|#]

                              [#|2012-01-23T11:33:50.362-0500|INFO|glassfish3.1.1|javax.enterprise.system.core.com.sun.enterprise.v3.admin.adapter|_ThreadID=64;_ThreadName=Thread-2;|The Admin Console application is loaded.|#]

                              [#|2012-01-23T11:33:51.799-0500|INFO|glassfish3.1.1|javax.enterprise.system.tools.admin.com.sun.enterprise.container.common|_ThreadID=67;_ThreadName=Thread-2;|L’utilisateur [] de l’hôte 127.0.0.1 ne dispose pas d’un accès d’administration, ou bien le nom d’utilisateur ou le mot de passe fourni est incorrect.|#]

                              [#|2012-01-23T11:33:53.346-0500|WARNING|glassfish3.1.1|org.apache.catalina.connector.Request|_ThreadID=45;_ThreadName=Thread-2;|PWC4011: Unable to set request character encoding to UTF-8 from context , because request parameters have already been read, or ServletRequest.getReader() has already been called|#]

                              [#|2012-01-23T11:33:53.362-0500|INFO|glassfish3.1.1|javax.enterprise.system.tools.admin.com.sun.enterprise.container.common|_ThreadID=66;_ThreadName=Thread-2;|L’utilisateur [] de l’hôte 127.0.0.1 ne dispose pas d’un accès d’administration, ou bien le nom d’utilisateur ou le mot de passe fourni est incorrect.|#]


                              It tells me that the user [] does not have admin privilege or the username/password is incorrect.

                              I created a user without a password and still get the 403 error page.
                              And if I use a user with a wrong password it does not let me in at all.

                              I find that it's strange that the error message says : " ... user [] ... " like it's empty.
                              And as of reviewing your initial post, a third option comes into my mind:
                              c) Perhaps some Win 2003 specific issue is causing that problem. Have you ever tried to configure the APEX Listener on a Windows workstation? After all,the basic GlassFish "installation" is just unzipping and starting it. That's how I maintain to have a simple reference on my laptop, and deploying APEX Listener to it worked without problems for me.
                              I did configure the APEX Listener on a Virtual Box on my local machine with windows XP and it works fine... Maybe it's something with windows 2003 ... I have the same issue on both the dev and production box both running 2003.



                              Francis.
                              • 12. Re: listenerAdmin not working in Glassfish
                                Udo
                                Hi Francis,
                                listenerConfigure ran fine and created the config files in the new location.
                                That's not very surprising, because listenerConfigure doesn't use authentication.
                                ...[log]
                                So it seems the username isn't getting through - interesting.
                                ...[VirtualBox vs 2003]
                                Does your VM run with French locales as well?
                                I'd wonder if 2003 would cause problems woth submitted values, especially because you tried from a different client with a non-integrated browser (your fresh Firefox install). Furthermore, GlassFish is running on Java and is not supposed to care much about the underlying OS. The only host specific issues could come from the JDK you use, e.g. because you have some Java policies that need to be adjusted...

                                So all my hope to solve the case goes to your locale settings. Is it possible for you to run your GlassFish with American/UTF-8 charset? My windows install defaulted to that, so I was a little surprised to see localized log from your site.

                                -Udo