geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anita Kulshreshtha (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
Date Tue, 07 Feb 2006 02:49:57 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365380 ] 

Anita Kulshreshtha commented on GERONIMO-1585:
----------------------------------------------

SRV.11.2 could be used to argue that "/*" is not a path mapping. It says - 
"SRV.11.2 Specification of Mappings
In theWeb application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a '/' character and ending with a '/*' suffix is used
for path mapping.
• A string beginning with a '*.' prefix is used as an extension mapping.
• A string containing only the '/' character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the context
path and the path info is null.
• All other strings are used for exact matches only."
    I do wonder about the purpose of the servlet spec example. Should we disallow "/*" as
URLPattern even in servlet mapping?

> Web app security on /* causes deployment exception
> --------------------------------------------------
>
>          Key: GERONIMO-1585
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1585
>      Project: Geronimo
>         Type: Bug
>   Components: web, security
>     Versions: 1.0
>  Environment: Geronimo 1.0 with Jetty
>     Reporter: Aaron Mulder
>     Priority: Critical
>      Fix For: 1.0.1, 1.1

>
> Deploying a web app with the following security block causes a deployment error:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Pages</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>User</role-name>
>         </auth-constraint>
>     </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
>     org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
>         ...
>     Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec
cannot match the first URLPattern
>         at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
>         at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
>         ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to
work too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message