[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365431 ]
Anita Kulshreshtha commented on GERONIMO-1585: ---------------------------------------------- After digging further through all the webapps supplied by tomcat (http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/webapps/webdav/WEB-INF/web.xml), I found the following - 1. "/*" is used as url-pattern in <web-resuource-collection> and <filter-mapping>. 2. It's usage in servlet-mapping is left upto the deployer. Here is an example from webdav webapp - .......................................................... <!-- The mapping for the webdav servlet --> <!-- Using /* as the mapping ensures that jasper, welcome files etc are over-ridden and all requests are processed by the webdav servlet. This also overcomes a number of issues with some webdav clients (including MS Webfolders) that do not respond correctly to the redirects (302) that result from using a mapping of / --> <servlet-mapping> <servlet-name>webdav</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> ..................................................................... Which means we need to allow this in DD but need to make sure that it is not passed to the constructor for WebResourcePermission. G-1448 will have to be dealt with separately, when someone has a good reason to use it instead of "/" > Web app security on /* causes deployment exception > -------------------------------------------------- > > Key: GERONIMO-1585 > URL: http://issues.apache.org/jira/browse/GERONIMO-1585 > Project: Geronimo > Type: Bug > Components: web, security > Versions: 1.0 > Environment: Geronimo 1.0 with Jetty > Reporter: Aaron Mulder > Priority: Critical > Fix For: 1.0.1, 1.1 > > Deploying a web app with the following security block causes a deployment > error: > <security-constraint> > <web-resource-collection> > <web-resource-name>All Pages</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>User</role-name> > </auth-constraint> > </security-constraint> > Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet > 2.4 spec). > The error is: > org.apache.geronimo.common.DeploymentException: Unable to initialize > webapp GBean > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) > ... > Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the > URLPatternSpec cannot match the first URLPattern > at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54) > at > javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54) > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) > at > org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) > ... 70 more > Changing the url-pattern to / fixes the problem, but it seems to me that /* > ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira