You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Anita Kulshreshtha (JIRA)" <de...@geronimo.apache.org> on 2006/02/07 00:25:57 UTC
[jira] Commented: (GERONIMO-1585) Web app security on /* causes
deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365362 ]
Anita Kulshreshtha commented on GERONIMO-1585:
----------------------------------------------
This issue was discussed in G-603. Page 22, last paragraph of JACC reads -
"........................
Any pattern, qualified by a pattern that matches it,
is overridden and made
irrelevant (in the translation) by the qualifying
pattern. Specifically, all extension
patterns and the default pattern are made irrelevant
by the presence of the path
prefix pattern "/*" in a deployment descriptor.
Patterns qualified by the "/*"
pattern violate the URLPatternSpec constraints of
WebResourcePermission and
WebUserDataPermission names and must be rejected by
the corresponding
permission constructors."
The syntax of a URLPatternSpec is as follows: see http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html
URLPatternList ::= URLPattern | URLPatternList colon URLPattern
URLPatternSpec ::= null | URLPattern | URLPattern colon URLPatternList
It goes on to say "................... The first URLPattern in a URLPatternSpec may be any of the pattern types, exact, path-prefix, extension, or default as defined in the Java Servlet Specification)." AIUI "/*" is neither exact, nor
path-prefix ("/" followed by "/*"), nor
extension (e.g. *.jsp), nor
default ("/")
I think we should reject "/*" as an invalid URLPattern. Tomcat does the same and that explains G-1448.
> Web app security on /* causes deployment exception
> --------------------------------------------------
>
> Key: GERONIMO-1585
> URL: http://issues.apache.org/jira/browse/GERONIMO-1585
> Project: Geronimo
> Type: Bug
> Components: web, security
> Versions: 1.0
> Environment: Geronimo 1.0 with Jetty
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.0.1, 1.1
>
> Deploying a web app with the following security block causes a deployment error:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>All Pages</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>User</role-name>
> </auth-constraint>
> </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
> org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
> at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
> ...
> Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern
> at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
> at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
> at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
> at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
> ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira