Glassfish, APEX Listener, and 403
In preparation for my ODTUG talk on the APEX Listener, I was updating my virtual machine to include the latest version Glassfish application server and deploying the APEX listener to talk to my XE database. Nice little setup. The Tomcat version of the listener is still working as I expected. I have been using Tomcat for some time, but understanding that it is not a supported platform, I wanted to be able to show the APEX Listener features with Glassfish.
I went through all the steps in the Listener documentation. Very concise and direct. Everything seemed fine, until I ran into the dreaded HTTP 403 error. This error basically means “you have been weighed, you have been measured, and found wanting.” The application knows who you are, but you do not have the rights to continue.
Here is the details at the time of writing:
- Glassfish 3.1.2
- Java 1.6
- Oracle XE 11g
- Apex Listener 1.1.3
- CentOS 6.0
After deploying the APEX Listener, the documented steps outline how to add users that are explicit to the configuration of the APEX Listener. This allows usability of some of the advanced configuration and programming features of the Listener. These users need specific group membership to be picked up by the .
Admin – Allowed to run the http://host:port/apex/listenerAdmin
Manager – Allowed to run the http://host:port/apex/listenerStatus
Note: one of the most common issues with group membership is case sensitivity. First letter is capital.
After following all of the steps perfectly, you should be able to run the http://host:port/apex/listenerConfigure because this does not require any authentication. After the listener is configured the first time, you will get the following message:
“The APEX Listener is already configured. Please login as Administrator to access APEX Listener Administration.”
To configure the listener via the web interface or tweak settings after the initial setup, you need to access either the listenerAdmin or listenerStatus page with a valid account having the group membership identified above. Even after the groups have been setup per the documentation you may still receive the HTTP 403 error preventing you from editing the page.
I have tracked this issue down to a small setting in the security settings on Glassfish. The JACC (Java Authorization Contract for Containers) by default … does not work as I want it to. This needs to be switched to “simple” to complete the setup as documented in listener documentation. That being said, I am sure the default provider (com.sun.enterprise.security.provider.PolicyWrapper) can be setup to work, but I do not have the energy or the will to try to figure it out right now.
The following image identifies the setting I am referring to.
After making the modifications, you should be able to run the listenerAdmin utility with an account that has been given the Admin group.