JDBCRealm problem with Glassfish

Hi,

since 2 weeks i try to get the authentication for my web-services to work.

I read some tutorials like the following one (http://www.nabisoft.com/tutorials/glassfish/securing-java-ee-6-web-appli...).
And I also searched a lot at google and stackoverflow for a solution of my problem but i think it's very specific... I don't know where the error could be located.

So I hope you can help me.

I created two entities. One for the user (called AppUser) and one for the group (called AppUserGroup)

The following is the User-Class::

@Entity
public class AppUser implements Serializable {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;

    @Column(unique=true)
    private String email;
    private String password; //Password etc.

    @ManyToMany(fetch = FetchType.LAZY)
    @JoinTable( joinColumns={@JoinColumn(name="id", referencedColumnName="id")},
            inverseJoinColumns={@JoinColumn(name="groupId", referencedColumnName="groupId")})
    private List<AppUserGroup> appUserGroups;
}

The second one is the group-class ::

@Entity
public class AppUserGroup {     

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long groupId;

    @Column(unique=true)
    private String groupName;
}

The tables are created correctly. And I populate the tables with one test user called 'marvin'. with the password '2' (very secure one ;-) ).
This test user is in groups "AppUser" and "Administrator".
SO when i call request.isUserInRole("Administrator") or "request.isUserInRole("appUser"); both function calls should return true.

My JDBCRealm-configuration can be found in a screenshot called jdbcRealm.PNG which is attached at this post. I don't know how I can directly include it inline.

Now let me explain my problem:

• when I set a "default group" in my jdbcRealm configuration I can call the login-webservice and my user get authenticated.
  When i call request.getUserPrincipal(); I get the user-Principal as expected.
• But when I don't set a default group in my jdbcRealm configuration my user doesn't get authenticated because of a "login error".

In both cases I get the following error:

So I think that the user login works, but glassfish cannot load my groups from the database.

My User table is called:
APPUSER Screenshot APPUSER.PNG

My Group table is called:
APPUSERGROUP Screenshot APPUSERGROUP.PNG

The joining table is called:
APPUSER_APPUSERGROUP Screenshot APPUSER_APPUSERGROUP.PNG

The jdbcRealm is configured as you can see in the screenshot (jdbcRealm.PNG)

so how can it be that he doesn't find the groups? All data glassfish needs is in AppUser and AppUser_AppUserGroup table. In AppUser_AppUserGroup there is the email of the user and the groupName of the group. Both as Strings like JAAS needs it (as i understood).

I don't know if you need it but here is my glassfish-web.xml::

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  
  <security-role-mapping>
    <role-name>Administrator</role-name>
    <group-name>Administrator</group-name>
  </security-role-mapping>
  
  <security-role-mapping>
    <role-name>AppUser</role-name>
    <group-name>AppUser</group-name>
  </security-role-mapping>
  
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

And here is the web-xml::

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
            <name>SESSIONID</name>
        </cookie-config>
    </session-config>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>greenServerAuth</realm-name>
    </login-config>
    
    <security-role>
        <description>Admin</description>
        <role-name>Administrator</role-name>
    </security-role>
    <security-role>
        <description>Common User</description>
        <role-name>AppUser</role-name>
    </security-role>
</web-app>

Do you have any ideas?