0

I've already deployed an OSGi maven application with many OSGi bundles under Glassfish 4.1.2. This bundles are activated with a webapp that makes some calls with Jobs defined on it. All this is actually working in the expected way.

The web app executes the jobs and jobs make the calls to the OSGi bundles. The problem comes when I try to get the Batch Status from outside.

The purpose is to deploy other web application with REST webservices, so I can query the batch status on demmand. When I run:

private JobExecution getJob(int id) {

   JobOperator jobOperator = BatchRuntime.getJobOperator();
   JobExecution job = null;

   try {

           job = jobOperator.getJobExecution(id);

           System.out.println("job: " + job);
           System.out.println("name: " + job.getJobName());
           System.out.println("batchStatus: " + job.getBatchStatus());

   } catch (Exception e) {

           e.printStackTrace();

   }

   return job;

}

I get this exception:

javax.batch.operations.JobSecurityException: The current user is not authorized to perform this operation

I've already tried to deploy the webservices in the same web application that runs the batches, just to test the behaivour, and after sending the batches, I keep getting the same exception.

The strange thing is, when I run the batch from the webapp controller, it runs, and I can get the Batch Status like a charm:

@ViewScoped
@ManagedBean(name = "controller")
public class Controller implements Serializable {


   public void executeJobController() {

       JobOperator jobOperator = BatchRuntime.getJobOperator();
       Long executionIdDummy = jobOperator.start("DummyJob", new Properties());
       JobExecution jobExecutionDummy = jobOperator.getJobExecution(executionIdDummy);
       System.out.println("BatchDummyStatus : " + jobExecutionDummy.getBatchStatus());

   }
}

There is nothing I can find in the JSR352 Spec, Javadoc or Java EE tutorial about security in batch.

Is possible to do this? Is it about Glassfish JSR352? How can I achieve this?

Thank you for your time.

EDIT

After setting most of the logs to FINE as suggested by @Scott Kurz, I can see these new lines:

[2017-12-05T13:10:45.100-0500] [glassfish 4.1] [FINE] [] [javax.enterprise.web.core] [tid: _ThreadID=64 _ThreadName=http-listener-1(4)] [timeMillis: 1512497445100] [levelValue: 500] [CLASSNAME: org.apache.catalina.authenticator.AuthenticatorBase] [METHODNAME: invoke] [[ Security checking request GET /ws/webresources/facturacion/getJobs]] [2017-12-05T13:10:45.101-0500] [glassfish 4.1] [FINE] [] [javax.enterprise.web.core] [tid: _ThreadID=64 _ThreadName=http-listener-1(4)] [timeMillis: 1512497445101] [levelValue: 500] [CLASSNAME: org.apache.catalina.authenticator.AuthenticatorBase] [METHODNAME: invoke] [[ Not subject to any constraint]]

And this one means something strange:

[2017-12-05T13:10:45.104-0500] [glassfish 4.1] [FINE] [AS-WEB-NAMING-00005] [javax.enterprise.web.naming] [tid: _ThreadID=64 _ThreadName=http-listener-1(4)] [timeMillis: 1512497445104] [levelValue: 500] [CLASSNAME: org.apache.naming.resources.FileDirContext] [METHODNAME: file] [[ File cannot be read /home/felipe/Documents/Programas/glassfish4/glassfish/domains/domain1/applications/ws/WEB-INF/classes/META-INF/services/javax.batch.operations.JobOperator]]

I've tried runing glassfish as sudo in localhost, but I'm getting the same behavior, and getting exactly the same error.

Scott Kurz
  • 4,985
  • 1
  • 18
  • 40
ChoCho
  • 439
  • 5
  • 13
  • 1
    In Glassfish the security model is application-based rather than user-based. So applications like the Admin Console can view all jobs while code running in app components in other applications can generally only view jobs associated with that application (submitted/started from within that application). If you turn on the finest logging for `com.ibm.jbatch.*` you might get a bit more of a clue what's going on (e.g. perhaps for some reason Glassfish isn't associating your web service with the application the batch jobs were run under for some reason, even though you think it should be). – Scott Kurz Dec 05 '17 at 16:10
  • This is a batch-specific authorization issue you're hitting. Running as superuser wouldn't matter. Not sure any of the log records you pasted matter. Look [here](https://github.com/javaee/glassfish/blob/2f9cc528403a2cd9237a1e6ddfb3aceeb7d1ef74/appserver/batch/glassfish-batch-connector/src/main/java/org/glassfish/batch/spi/impl/GlassFishBatchSecurityHelper.java#L69-#L74) and [here](https://github.com/WASdev/standards.jsr352.jbatch/blob/17041a0f70e0030d89af4e58d5f4e17906a9b096/com.ibm.jbatch.container/src/main/java/com/ibm/jbatch/container/api/impl/JobOperatorImpl.java#L467-L487). – Scott Kurz Dec 05 '17 at 19:51
  • 1
    Hopefully that gives you a hook to use to debug the problem. Here "current tag" is a bit of a generalization/abstraction of what is in Glassfish the "current application". So if what this helper is showing as the current tag/app isn't what you'd expect, then that's your problem. – Scott Kurz Dec 05 '17 at 19:53
  • The only way I found to get it working, is creating webservices inside the same webapplication where the job executor resides. Only in this manner, I can query the job execution status. Actually, I'm exploring if there is a way to query glassfish internal database. I don't know why in the first test, querying batch status from the same webapp didn't work, maybe it didn't get fully redeployed. – ChoCho Feb 05 '18 at 13:37
  • Would be interested to hear what you find. If this is easy to do, "by default", that would defeat most of the purpose of the authorization checks. On the other hand if there is a way an admin can allow this if this is what they really want, then I guess that could work. – Scott Kurz Feb 05 '18 at 15:44
  • @Scott Kurz , finally found a way to get it working, as far as I can see, when you deploy the application to Glassfish, in that moment, the application server assign the "application id". As my enviroment is OSGi based, I redeployed all the OSGi bundles again, and finally redeployed the webapplication, and voila! I can get the status of the jobs from the webapplication. – ChoCho Mar 01 '18 at 14:09

1 Answers1

1

As I'm working on a OSGi enviroment, first redeployed (undeployed manually and deployed one by one) all OSGi bundles again, and finally, redeployed (undeployed and deployed) the webapplication where the webservice lies, and then, it started working.

It seems that the OSGi dependencies were not recognized in some way after making some redeployments, causing the security issue.

ChoCho
  • 439
  • 5
  • 13
  • Good to hear. I edited the question rephrasing it to be more useful. – Scott Kurz Mar 01 '18 at 15:21
  • Thank you @ScottKurz, if someone is interested, Glassfish has a native REST API to query the batch execution status, just accessing to https://dummyip:4848/management/domain/list-batch-jobs.json – ChoCho Mar 05 '18 at 14:10