You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org> on 2006/09/22 00:56:22 UTC
[jira] Created: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
---------------------------------------------------------------------------------
Key: GERONIMO-2420
URL: http://issues.apache.org/jira/browse/GERONIMO-2420
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: deployment
Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
Reporter: Daniel Sportes
The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
Eclipse is now happy and does not mark anymore my web.xml in error.
However, this causes an exception at deployment in the server.
If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=all ]
Daniel Sportes updated GERONIMO-2420:
-------------------------------------
Attachment: err.log
The console of the "deploy" processing.
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=comments#action_12436776 ]
Daniel Sportes commented on GERONIMO-2420:
------------------------------------------
Of course David you are pretty much obligated to validate the web.xml against the "official" spec.
I patched this schema locally just for testing if your implementation was related to it: it seems that it is not, at least not with the external file reachable in the %install%/schema directory.
The Servlet 2.5 spec has the same list of http-method (I checked this morning): as consequence the Servlet spec is NOT compliant with the WebDAV spec and the implementation done for example by the Slide project is not compliant with the Servlet spec (however working in Tomcat).
It could be a first track to add in the geronimo-web.xml an element http-method-list as sub element of security for allowing (actual and future) extensions of the http protocol.
It could also be a track in changing a bit your interpretation of that list when empty. When there is NO http-method element at all in the security-constraint element, ALL methods are concerned. it is exactly what I wished as any WebDAV implementers: however in this case you do not route all methods on the service() method of the servlet but only some of them (GET, POST, PUT ...). Why checking anything there, and only in case of security-constraint ? When I remove the security-constraint applicable to the servlet path, the service() method receives correctly ALL methods (even MKCOL, PROPFIND, etc.). Just align the checking implemented on the most open (the one you implemented without security-constraint), without changing anything else in the deployment part. This kind of change would not appear as a regression for actual existing developments.
You can find out WebDAV spec at http://www.webdav.org/specs/. It was probably not the best way to extend http method lists (new headers for a POST would be simpler) but they did and several implementations (typically of Explorer in Windows) are largely used.
I do not know if some other specs as WebDAV also extend the HTTP method list.
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=comments#action_12436696 ]
David Jencks commented on GERONIMO-2420:
----------------------------------------
We can't modify the j2ee schemas supplied from sun, and we're pretty much obligated to validate your spec depoyment descriptors against the schemas supplied by sun. So we can't adopt the modified web-app schema you've supplied, and we will continue to reject your web.xml as being non-compliant to the schema.
We might be able to figure out an alternate way to add more permissions for additional http methods by specifying them in the geronimo plan. Is there a complete list of possible http methods somewhere? Is the list recognized by sun expanded in the servlet 2.5 spec?
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=all ]
Daniel Sportes updated GERONIMO-2420:
-------------------------------------
Attachment: web.xml
The web.xml rejected at deployment time. Just uncomment the list of http-method for getting the issue.
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=all ]
Daniel Sportes updated GERONIMO-2420:
-------------------------------------
Attachment: http-1.txt
http flow for case a)
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, http-1.txt, http-2.txt, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-2420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-2420.
----------------------------------
Resolution: Fixed
Fix Version/s: 2.0.1
Assignee: David Jencks
The jacc spec was emended for javaee 5 to allow much fancier specification of HTTP methods, and all the DAV ones should work now in geronimo 2.x
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: https://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Assignee: David Jencks
> Fix For: 2.0.1
>
> Attachments: err.log, http-1.txt, http-2.txt, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=all ]
Daniel Sportes updated GERONIMO-2420:
-------------------------------------
Attachment: http-2.txt
http flow for the case b)
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, http-1.txt, http-2.txt, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=all ]
Daniel Sportes updated GERONIMO-2420:
-------------------------------------
Attachment: server-Bug-Deployment.log
The session log.
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=comments#action_12437480 ]
Daniel Sportes commented on GERONIMO-2420:
------------------------------------------
Report of last tests:
a) if no one http-method is listed in web-resource-collection:
1) OPTIONS method is routed in the servlet
2) PROPFIND methods are not transmitted to the service() method of my servlet : "An exception or error occurred in the container during the request processing org.apache.catalina.connector.CoyoteAdapter"
This behaviour is hardly correct.
b) if allowed methods (OPTIONS, HEAD, GET, POST, PUT, DELETE) are listed in web-resource-collection, both OPTIONS and PROPFIND are routed in the service().
This behaviour could be considered as a bit strange, but DO NOT CHANGE IT.
This is a good work around for this issue and exactly the result I hoped:
1) authentication is well required
2) all methods are transmittd to the service() method.
The Apache Slide project just would require a different web-xml for Geronimo than for Tomcat 5.
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: err.log, server-Bug-Deployment.log, web-app_2_4b.xsd, web.xml
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-2420) No support of WebDAV http-methods
(MKCOL ...) in web-app with security-constraint
Posted by "Daniel Sportes (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-2420?page=all ]
Daniel Sportes updated GERONIMO-2420:
-------------------------------------
Attachment: web-app_2_4b.xsd
The schema modified for accepting WebDAV http-method.
> No support of WebDAV http-methods (MKCOL ...) in web-app with security-constraint
> ---------------------------------------------------------------------------------
>
> Key: GERONIMO-2420
> URL: http://issues.apache.org/jira/browse/GERONIMO-2420
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: deployment
> Environment: Release in WASCE (probably 1.0) - Windows XP - Java 1.5
> Reporter: Daniel Sportes
> Attachments: web-app_2_4b.xsd
>
>
> The schema web-app_2_4.xsd does not accept WebDAV http-method as PROPFIND, MKCOL, etc. in security-constraint (in web.xml).
> As consequence as I develop a business server based on WebDAV, I cannot require an authentication for accessing the WebDAV servlet. Just observe it is possible with Tomcat.
> As the error message indicates the web-app_2_4.xsd schema, I patched this schema in the directory %install%/schema.
> Eclipse is now happy and does not mark anymore my web.xml in error.
> However, this causes an exception at deployment in the server.
> If I remove all forbidden http-method, no more deployment exception of course, but I do not receive PROPFIND method calls in my servlet.
> If I completely remove the security-constraint section, PROPFIND methods are correctly received in my servlet ... but the user authentication is no more required (that is not an acceptable solution for a business server). The method list seems to be coded somewhere else than in the schema.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira