IllegalStateException caused by incorrect merging of role mappings

[Dmitri Colebatch]

(I sent this yesterday but don't think the subscription service picked
up my correct from address so am sending again - apologies if it
appeas twice).

Hi all,

I'm new to geronimo and am looking at the possibility of migrating
some fairly simple webapps from WLX9.1 to Geronimo/Jetty.  I've hit a
snag related to the way I have my security config setup and I think
its a bug in Geronimo - more than happy to be corrected but would
appreciate if any other users (or developers) could offer some
thoughts on this.

I have the following in my web.xml:

security-constraint
  web-resource-collection
web-resource-nameStruts pages/web-resource-name
url-pattern*.do/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
  /web-resource-collection
  auth-constraint
role-name*/role-name
  /auth-constraint
/security-constraint
security-constraint
  web-resource-collection
  web-resource-nameLogin page/web-resource-name
url-pattern/login.do/url-pattern
http-methodGET/http-method
  /web-resource-collection
/security-constraint

So the outcome I want is that in general struts pages require
authentication, but the login page doesn't require authentication
(obviously).  This has been working fine on WL but when I try to
deploy on Geronimo I get this:

Caused by: java.lang.IllegalArgumentException: Only exact and
path-prefix qualifiers in the URLPatternSpec are allowed when first
URLPattern is an extension pattern
  at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:82)
  at 
javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54)
  at 
org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357)

Debugging through the code, AbstractWebModuleBuilder is merging all
the patterns including ones that don't require authentication and so
is trying to create a WebResourcePermission instance with the string
*.do:/login.do.

The servlet spec section 12.8.1 Combining constraints says:

A security constraint that does not contain an authorization
constraint shall combine with authorization constraints that name or
imply roles to allow unauthenticated access.

So I'm assuming what I'm doing is ok and this is a bug with Geromino.
Anyone have any thoughts/suggestions before I raise a bug?

cheers
dim

IllegalStateException caused by incorrect merging of role mappings

[Dmitri Colebatch]

Hi all,

I'm new to geronimo and am looking at the possibility of migrating
some fairly simple webapps from WLX9.1 to Geronimo/Jetty.  I've hit a
snag related to the way I have my security config setup and I think
its a bug in Geronimo - more than happy to be corrected but would
appreciate if any other users (or developers) could offer some
thoughts on this.

I have the following in my web.xml:

 security-constraint
   web-resource-collection
 web-resource-nameStruts pages/web-resource-name
 url-pattern*.do/url-pattern
 http-methodGET/http-method
 http-methodPOST/http-method
   /web-resource-collection
   auth-constraint
 role-name*/role-name
   /auth-constraint
 /security-constraint
 security-constraint
   web-resource-collection
   web-resource-nameLogin page/web-resource-name
 url-pattern/login.do/url-pattern
 http-methodGET/http-method
   /web-resource-collection
 /security-constraint

So the outcome I want is that in general struts pages require
authentication, but the login page doesn't require authentication
(obviously).  This has been working fine on WL but when I try to
deploy on Geronimo I get this:

Caused by: java.lang.IllegalArgumentException: Only exact and
path-prefix qualifiers in the URLPatternSpec are allowed when first
URLPattern is an extension pattern
   at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:82)
   at 
javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54)
   at 
org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357)

Debugging through the code, AbstractWebModuleBuilder is merging all
the patterns including ones that don't require authentication and so
is trying to create a WebResourcePermission instance with the string
*.do:/login.do.

The servlet spec section 12.8.1 Combining constraints says:

A security constraint that does not contain an authorization
constraint shall combine with authorization constraints that name or
imply roles to allow unauthenticated access.

So I'm assuming what I'm doing is ok and this is a bug with Geromino.
Anyone have any thoughts/suggestions before I raise a bug?

cheers
dim