[
https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462469
]
Vamsavardhana Reddy commented on GERONIMO-1585:
-----------------------------------------------
Using g1585-nologin.war:
Step 0: Undeploy jira/G1585/1.0/war if it exists already
Step 1: Deploy g1585-nologin.war
Step 2: Access http://localhost:8080/G1585 . You will be redirected to a
login page with a "broken" image.
Step 3: Login using uid/pwd = system/manager and welcome page will display
Using g1585.war:
Step 0: Undeploy jira/G1585/1.0/war if it exists already
Step 1: Deploy g1585.war
Step 2: Access http://localhost:8080/G1585 . You will be redirected to a
login page with my image :o)
Step 3: Login using uid/pwd = system/manager and welcome page will display
The only difference between g1585.war and g1585-nologin.war is that
geronimo-web.xml in g1585.war has the following security-constraint element.
{code}
<security-constraint>
<display-name>login</display-name>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<!-- Notice that there is no auth-constraint tag -->
</security-constraint>
{code}
> Web app security on /* causes deployment exception
> --------------------------------------------------
>
> Key: GERONIMO-1585
> URL: https://issues.apache.org/jira/browse/GERONIMO-1585
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security, web
> Affects Versions: 1.1
> Environment: Geronimo 1.0 with Jetty and tomcat
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.1.x
>
> Attachments: g1585-nologin.war, g1585.war, security.patch
>
>
> Deploying a web app with the following security block causes a deployment
> error:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>All Pages</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>User</role-name>
> </auth-constraint>
> </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet
> 2.4 spec).
> The error is:
> org.apache.geronimo.common.DeploymentException: Unable to initialize
> webapp GBean
> at
> org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
> ...
> Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the
> URLPatternSpec cannot match the first URLPattern
> at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
> at
> javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
> at
> org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
> at
> org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
> ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /*
> ought to work too.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
