[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12448789 ] Jérôme GODARD commented on GERONIMO-1585: -----------------------------------------
I modify the geronimo-security-1.1.1.jar file with the security.patch to use the "/*" to secure all pages of my JSF application, but I also want to let the login page (with the resources it used like jpg, css etc) be accessible by everybody (unauthentified). With Websphere 6, I use the J2EE role EveryBody to do that : Extract of my web.xml : <security-constraint> <web-resource-collection> <web-resource-name>AllURI</web-resource-name> <description>Represent all the application URI</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description /> <role-name>User</role-name> <role-name>Admin</role-name> <role-name>Support</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Login</web-resource-name> <description>The login page resource</description> <url-pattern>/login/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description /> <role-name>EveryBody</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <display-name>Constraints PUBLIC</display-name> <web-resource-collection> <web-resource-name>Theme Resources</web-resource-name> <description /> <url-pattern>/templates/*</url-pattern> <url-pattern>/index.jsp</url-pattern> <url-pattern>/jscookmenu/*</url-pattern> <url-pattern>/</url-pattern> <http-method>GET</http-method> </web-resource-collection> <web-resource-collection> <web-resource-name>Public Area</web-resource-name> <description>allows acces under /public/</description> <url-pattern>/public/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description /> <role-name>EveryBody</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> When I deploy it on geronimo, I use the following geronimo-web.xml file : <security-realm-name>app-dev-ldap-realm</security-realm-name> <sec:security> <sec:default-principal realm-name="app-dev-ldap-realm"> <sec:principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> </sec:default-principal> <sec:role-mappings> <sec:role role-name="User"> <sec:realm realm-name="app-dev-ldap-realm"> <sec:principal name="GP-ZONE3-AXE-USER" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true" /> </sec:realm> <sec:realm realm-name="app-dev-ldap-realm"> <sec:principal name="GP-ZONE3-AXE-MANAGER" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> </sec:realm> </sec:role> <sec:role role-name="Support"> <sec:realm realm-name="app-dev-ldap-realm"> <sec:principal name="GP-ZONE3-AXE-MANAGER" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> </sec:realm> </sec:role> <sec:role role-name="Admin"> <sec:realm realm-name="app-dev-ldap-realm"> <sec:principal name="GP-ZONE3-AXE-MANAGER" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> </sec:realm> </sec:role> <sec:role role-name="EveryBody"> <sec:realm realm-name="app-dev-ldap-realm"> <sec:principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> </sec:realm> </sec:role> </sec:role-mappings> </sec:security> I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml). But when I deploy, login ressources and public pages still not be accessible by Everybody (ie : unauthentified user). > Web app security on /* causes deployment exception > -------------------------------------------------- > > Key: GERONIMO-1585 > URL: http://issues.apache.org/jira/browse/GERONIMO-1585 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: web, security > Affects Versions: 1.1 > Environment: Geronimo 1.0 with Jetty and tomcat > Reporter: Aaron Mulder > Priority: Critical > Fix For: 1.1.x > > Attachments: security.patch > > > Deploying a web app with the following security block causes a deployment > error: > <security-constraint> > <web-resource-collection> > <web-resource-name>All Pages</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>User</role-name> > </auth-constraint> > </security-constraint> > Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet > 2.4 spec). > The error is: > org.apache.geronimo.common.DeploymentException: Unable to initialize > webapp GBean > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) > ... > Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the > URLPatternSpec cannot match the first URLPattern > at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54) > at > javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54) > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) > ... 70 more > Changing the url-pattern to / fixes the problem, but it seems to me that /* > ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira