[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365362 ]
Anita Kulshreshtha commented on GERONIMO-1585: ---------------------------------------------- This issue was discussed in G-603. Page 22, last paragraph of JACC reads - "........................ Any pattern, qualified by a pattern that matches it, is overridden and made irrelevant (in the translation) by the qualifying pattern. Specifically, all extension patterns and the default pattern are made irrelevant by the presence of the path prefix pattern "/*" in a deployment descriptor. Patterns qualified by the "/*" pattern violate the URLPatternSpec constraints of WebResourcePermission and WebUserDataPermission names and must be rejected by the corresponding permission constructors." The syntax of a URLPatternSpec is as follows: see http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html URLPatternList ::= URLPattern | URLPatternList colon URLPattern URLPatternSpec ::= null | URLPattern | URLPattern colon URLPatternList It goes on to say "................... The first URLPattern in a URLPatternSpec may be any of the pattern types, exact, path-prefix, extension, or default as defined in the Java Servlet Specification)." AIUI "/*" is neither exact, nor path-prefix ("/" followed by "/*"), nor extension (e.g. *.jsp), nor default ("/") I think we should reject "/*" as an invalid URLPattern. Tomcat does the same and that explains G-1448. > Web app security on /* causes deployment exception > -------------------------------------------------- > > Key: GERONIMO-1585 > URL: http://issues.apache.org/jira/browse/GERONIMO-1585 > Project: Geronimo > Type: Bug > Components: web, security > Versions: 1.0 > Environment: Geronimo 1.0 with Jetty > Reporter: Aaron Mulder > Priority: Critical > Fix For: 1.0.1, 1.1 > > Deploying a web app with the following security block causes a deployment > error: > <security-constraint> > <web-resource-collection> > <web-resource-name>All Pages</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>User</role-name> > </auth-constraint> > </security-constraint> > Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet > 2.4 spec). > The error is: > org.apache.geronimo.common.DeploymentException: Unable to initialize > webapp GBean > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) > ... > Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the > URLPatternSpec cannot match the first URLPattern > at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54) > at > javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54) > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) > ... 70 more > Changing the url-pattern to / fixes the problem, but it seems to me that /* > ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
