I want to see which user tried to access EJB methods that are not allowed for his respective role (via @RolesAllowed annotation). It seems I can only see that a Failed Permission Check occured in the log (+ on which Bean, what method and the timestamp), but not WHO tried to call it:
[2016-12-15T17:48:36.061+0100] [glassfish 4.1] [INFO] [] [javax.enterprise.system.core.security] [tid: _ThreadID=96 _ThreadName=http-listener-1(4)] [timeMillis: 1481820516061] [levelValue: 800] [[
JACC Policy Provider: Failed Permission Check, context(SecuredAccess/SecuredAccess_EJB_jar)- permission(("javax.security.jacc.EJBMethodPermission" "WorkBean" "administrationTask,Local,"))]]
[2016-12-15T17:48:36.061+0100] [glassfish 4.1] [WARNING] [AS-EJB-00056] [javax.enterprise.ejb.container] [tid: _ThreadID=96 _ThreadName=http-listener-1(4)] [timeMillis: 1481820516061] [levelValue: 900] [[
A system exception occurred during an invocation on EJB WorkBean, method: public java.lang.String work.WorkBean.administrationTask()]]
Is there any way to configure Glassfish so that it logs the principal of the calling user or at least some kind of session ID I can then map to a specific user? It logs the user for each valid method call, but somehow not for the denied ones.
I met this issue too. It may caused by: you copy jar/class file to glassfish application folder directly. You need re-deploy the application(war/ear), then this issue will disappear.
Good luck!