Hi all, I'm new to geronimo and am looking at the possibility of migrating some fairly simple webapps from WLX9.1 to Geronimo/Jetty. I've hit a snag related to the way I have my security config setup and I think its a bug in Geronimo - more than happy to be corrected but would appreciate if any other users (or developers) could offer some thoughts on this.
I have the following in my web.xml: <security-constraint> <web-resource-collection> <web-resource-name>Struts pages</web-resource-name> <url-pattern>*.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Login page</web-resource-name> <url-pattern>/login.do</url-pattern> <http-method>GET</http-method> </web-resource-collection> </security-constraint> So the outcome I want is that in general struts pages require authentication, but the login page doesn't require authentication (obviously). This has been working fine on WL but when I try to deploy on Geronimo I get this: Caused by: java.lang.IllegalArgumentException: Only exact and path-prefix qualifiers in the URLPatternSpec are allowed when first URLPattern is an extension pattern at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:82) at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54) at org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357) Debugging through the code, AbstractWebModuleBuilder is merging all the patterns including ones that don't require authentication and so is trying to create a WebResourcePermission instance with the string "*.do:/login.do". The servlet spec section "12.8.1 Combining constraints" says: "A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access." So I'm assuming what I'm doing is ok and this is a bug with Geromino. Anyone have any thoughts/suggestions before I raise a bug? cheers dim