[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466269 ] David Jencks commented on GERONIMO-1585: I've moved Dmitry's issue to GERONIMO-2763, it is a separate problem. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1, 1.1.2, 1.2, 2.0 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Assigned To: David Jencks Priority: Critical Fix For: 1.1.x, 1.2, 2.0-M2 Attachments: G1585-Geronimo2.0.patch, g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466135 ] David Jencks commented on GERONIMO-1585: Fix for /* applied in rev 497925 in 1.2 and rev 497904. I have not yet investigated whether the other problems discussed here are in fact transferred to other jira issues. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1, 1.1.2, 1.2, 2.0 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Assigned To: David Jencks Priority: Critical Fix For: 1.1.x, 1.2, 2.0-M2 Attachments: G1585-Geronimo2.0.patch, g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12465814 ] Aman Nanner commented on GERONIMO-1585: --- I've been experiencing this issue as well. I rebuilt Geronimo 1.2-beta with the security.patch that is attached to this case, and it fixed the problem. Will this issue be fixed in 1.2? Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12463025 ] Vamsavardhana Reddy commented on GERONIMO-1585: --- Sorry if I added to the confusion. Let us keep this JIRA on track. Let us deal with each issue at the right place. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462468 ] Vamsavardhana Reddy commented on GERONIMO-1585: --- Here is what I observed using sample applications g1585.war and g1585-nologin.war: 1. Pages configured with form-login-page and form-error-page always have unrestricted access. 2. Adding a security-constraint on /login/* witn NO auth-constraint element makes all /login/* resources accessible unrestrictedly. The tag in geronimo-web.xml will look like the following: {code} security-constraint display-namelogin/display-name web-resource-collection web-resource-namelogin/web-resource-name url-pattern/login/*/url-pattern /web-resource-collection !-- Notice that there is no auth-constraint tag -- /security-constraint {code} 3. Works properly on G Jetty distribution Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462469 ] Vamsavardhana Reddy commented on GERONIMO-1585: --- Using g1585-nologin.war: Step 0: Undeploy jira/G1585/1.0/war if it exists already Step 1: Deploy g1585-nologin.war Step 2: Access http://localhost:8080/G1585 . You will be redirected to a login page with a broken image. Step 3: Login using uid/pwd = system/manager and welcome page will display Using g1585.war: Step 0: Undeploy jira/G1585/1.0/war if it exists already Step 1: Deploy g1585.war Step 2: Access http://localhost:8080/G1585 . You will be redirected to a login page with my image :o) Step 3: Login using uid/pwd = system/manager and welcome page will display The only difference between g1585.war and g1585-nologin.war is that geronimo-web.xml in g1585.war has the following security-constraint element. {code} security-constraint display-namelogin/display-name web-resource-collection web-resource-namelogin/web-resource-name url-pattern/login/*/url-pattern /web-resource-collection !-- Notice that there is no auth-constraint tag -- /security-constraint {code} Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462472 ] Vamsavardhana Reddy commented on GERONIMO-1585: --- Forgot to mention... 1. g1585.war and g1585-nologin.war DO NOT USE security-constraint with url-pattern /*, but, USE / 2. Sample applications are to be used with G1.1.x Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462478 ] Anita Kulshreshtha commented on GERONIMO-1585: -- This problem as described by Aaron is about url-pattern/*/url-pattern. The default pattern, i.e. / works fine. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462481 ] Vamsavardhana Reddy commented on GERONIMO-1585: --- Anitha, I understand that this JIRA is about url-pattern/*/url-pattern. My comments and sample apps were more toward Jérôme's concern on EveryBody role. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462484 ] Anita Kulshreshtha commented on GERONIMO-1585: -- Vamsi, Jérôme's observations are based on the results after applying the security.patch. Are you saying that your observations are also taken after the patch? Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ https://issues.apache.org/jira/browse/GERONIMO-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462529 ] Jeff Genender commented on GERONIMO-1585: - Can we please split up this JIRA? I agree with Anita as the JIRA changed it's scope. Lets keep this JIRA on track. The problem Vamsi is talking about is being dealt with in GERONIMO-2695 and we now have a dup in GERONIMMO-2339. Lets deal with this problem in GERONIMO-2695 please. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: https://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: security, web Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: g1585-nologin.war, g1585.war, security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12448789 ] Jérôme GODARD commented on GERONIMO-1585: - I modify the geronimo-security-1.1.1.jar file with the security.patch to use the /* to secure all pages of my JSF application, but I also want to let the login page (with the resources it used like jpg, css etc) be accessible by everybody (unauthentified). With Websphere 6, I use the J2EE role EveryBody to do that : Extract of my web.xml : security-constraint web-resource-collection web-resource-nameAllURI/web-resource-name descriptionRepresent all the application URI/description url-pattern/*/url-pattern /web-resource-collection auth-constraint description / role-nameUser/role-name role-nameAdmin/role-name role-nameSupport/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameLogin/web-resource-name descriptionThe login page resource/description url-pattern/login/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint description / role-nameEveryBody/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint security-constraint display-nameConstraints PUBLIC/display-name web-resource-collection web-resource-nameTheme Resources/web-resource-name description / url-pattern/templates/*/url-pattern url-pattern/index.jsp/url-pattern url-pattern/jscookmenu/*/url-pattern url-pattern//url-pattern http-methodGET/http-method /web-resource-collection web-resource-collection web-resource-namePublic Area/web-resource-name descriptionallows acces under /public//description url-pattern/public/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint description / role-nameEveryBody/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint When I deploy it on geronimo, I use the following geronimo-web.xml file : security-realm-nameapp-dev-ldap-realm/security-realm-name sec:security sec:default-principal realm-name=app-dev-ldap-realm sec:principal name=anonymous class=org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal / /sec:default-principal sec:role-mappings sec:role role-name=User sec:realm realm-name=app-dev-ldap-realm sec:principal name=GP-ZONE3-AXE-USER class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal designated-run-as=true / /sec:realm sec:realm realm-name=app-dev-ldap-realm sec:principal name=GP-ZONE3-AXE-MANAGER class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal / /sec:realm /sec:role sec:role role-name=Support sec:realm realm-name=app-dev-ldap-realm sec:principal name=GP-ZONE3-AXE-MANAGER class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal / /sec:realm /sec:role sec:role role-name=Admin sec:realm realm-name=app-dev-ldap-realm sec:principal name=GP-ZONE3-AXE-MANAGER class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal / /sec:realm /sec:role sec:role role-name=EveryBody sec:realm
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12436703 ] Dmitri Colebatch commented on GERONIMO-1585: I'd like to add some related thoughts to this: I have the following in my web.xml: security-constraint web-resource-collection web-resource-nameStruts pages/web-resource-name url-pattern*.do/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameLogin page/web-resource-name url-pattern/login.do/url-pattern http-methodGET/http-method /web-resource-collection /security-constraint So the outcome I want is that in general struts pages require authentication, but the login page doesn't require authentication (obviously). This has been working fine on WL but when I try to deploy on Geronimo I get this: Caused by: java.lang.IllegalArgumentException: Only exact and path-prefix qualifiers in the URLPatternSpec are allowed when first URLPattern is an extension pattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:82) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357) Debugging through the code, AbstractWebModuleBuilder is merging all the patterns including ones that don't require authentication and so is trying to create a WebResourcePermission instance with the string *.do:/login.do. The servlet spec section 12.8.1 Combining constraints says: A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. I realise this isn't exactly what this bug is about, but it should be addressed at the same time. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Issue Type: Bug Security Level: public(Regular issues) Components: web, security Affects Versions: 1.1 Environment: Geronimo 1.0 with Jetty and tomcat Reporter: Aaron Mulder Priority: Critical Fix For: 1.1.x Attachments: security.patch Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
Aaron, I have unit tested this on jetty and it is working on tomcat-server. The change is too small for a patch. Thanks Anita --- Anita Kulshreshtha (JIRA) dev@geronimo.apache.org wrote: [ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365630 ] Anita Kulshreshtha commented on GERONIMO-1585: -- Aaron could you please add a line pat = / as shown here in o.a.g.security.util.URLPattern and test if your app works. public URLPattern(String pat) { if (pat == null) t.. if (pat.length() == 0) ... if (pat.equals(/) || pat.equals(/*)) { type = DEFAULT; pat = /; --new line . .}else Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365621 ] Anita Kulshreshtha commented on GERONIMO-1585: -- o.a.g.security.util.URLPattern.getQualifiedPattern(..) should reject */ from the qualified pattern as per JACC 3.1.3.1 Qualified URL Pattern Names. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365622 ] Anita Kulshreshtha commented on GERONIMO-1585: -- Please read that as /* Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365630 ] Anita Kulshreshtha commented on GERONIMO-1585: -- Aaron could you please add a line pat = / as shown here in o.a.g.security.util.URLPattern and test if your app works. public URLPattern(String pat) { if (pat == null) t.. if (pat.length() == 0) ... if (pat.equals(/) || pat.equals(/*)) { type = DEFAULT; pat = /; -- new line . .}else Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365423 ] Gary Karasiuk commented on GERONIMO-1585: - As a new user who just spent two days trying to track down what the message Qualifier patterns in the URLPatternSpec cannot match the first URLPattern means, with no hint of even which file the error is in, or which line number is causing the error; I would advocate that if there is ambiguity in the spec, that we should error on the side of being more user friendly. That is, don't throw an error. But if you decide to throw an error, then please make it easy to correct. Other app servers allow the /* pattern. And for people like me who are trying to run existing applications, we would prefer not to have an extra restrictions. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365431 ] Anita Kulshreshtha commented on GERONIMO-1585: -- After digging further through all the webapps supplied by tomcat (http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/webapps/webdav/WEB-INF/web.xml), I found the following - 1. /* is used as url-pattern in web-resuource-collection and filter-mapping. 2. It's usage in servlet-mapping is left upto the deployer. Here is an example from webdav webapp - .. !-- The mapping for the webdav servlet -- !-- Using /* as the mapping ensures that jasper, welcome files etc are over-ridden and all requests are processed by the webdav servlet. This also overcomes a number of issues with some webdav clients (including MS Webfolders) that do not respond correctly to the redirects (302) that result from using a mapping of / -- servlet-mapping servlet-namewebdav/servlet-name url-pattern/*/url-pattern /servlet-mapping . Which means we need to allow this in DD but need to make sure that it is not passed to the constructor for WebResourcePermission. G-1448 will have to be dealt with separately, when someone has a good reason to use it instead of / Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365362 ] Anita Kulshreshtha commented on GERONIMO-1585: -- This issue was discussed in G-603. Page 22, last paragraph of JACC reads - Any pattern, qualified by a pattern that matches it, is overridden and made irrelevant (in the translation) by the qualifying pattern. Specifically, all extension patterns and the default pattern are made irrelevant by the presence of the path prefix pattern /* in a deployment descriptor. Patterns qualified by the /* pattern violate the URLPatternSpec constraints of WebResourcePermission and WebUserDataPermission names and must be rejected by the corresponding permission constructors. The syntax of a URLPatternSpec is as follows: see http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html URLPatternList ::= URLPattern | URLPatternList colon URLPattern URLPatternSpec ::= null | URLPattern | URLPattern colon URLPatternList It goes on to say ... The first URLPattern in a URLPatternSpec may be any of the pattern types, exact, path-prefix, extension, or default as defined in the Java Servlet Specification). AIUI /* is neither exact, nor path-prefix (/ followed by /*), nor extension (e.g. *.jsp), nor default (/) I think we should reject /* as an invalid URLPattern. Tomcat does the same and that explains G-1448. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
[ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365370 ] Aaron Mulder commented on GERONIMO-1585: Well, I'm OK with this if the JACC spec is clear about it -- without the context, it's hard for me to judge. (e.g. I would have said /* was pretty clearly a path prefix). It also makes me a little uncomfortable that one of the examples in the Servlet spec actually uses /* so it really seems legit. In any case, it would be nice if we're going to reject this that we provide a specific message to the effect of The JACC specification specifically disallows /* as a URL pattern; please use just / instead. The current message Qualifier patterns in the URLPatternSpec cannot match the first URLPattern is not at all clear to me. If we have a clear message with a recommended solution, then I don't really care too much if we reject that specific pattern. Web app security on /* causes deployment exception -- Key: GERONIMO-1585 URL: http://issues.apache.org/jira/browse/GERONIMO-1585 Project: Geronimo Type: Bug Components: web, security Versions: 1.0 Environment: Geronimo 1.0 with Jetty Reporter: Aaron Mulder Priority: Critical Fix For: 1.0.1, 1.1 Deploying a web app with the following security block causes a deployment error: security-constraint web-resource-collection web-resource-nameAll Pages/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameUser/role-name /auth-constraint /security-constraint Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec). The error is: org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842) ... Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern at javax.security.jacc.URLPatternSpec.init(URLPatternSpec.java:54) at javax.security.jacc.WebResourcePermission.init(WebResourcePermission.java:54) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215) at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821) ... 70 more Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira