geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anita Kulshreshtha (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
Date Mon, 06 Feb 2006 23:25:57 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365362 ] 

Anita Kulshreshtha commented on GERONIMO-1585:
----------------------------------------------

This issue was discussed in G-603. Page 22, last paragraph of JACC reads -
"........................ 
Any pattern, qualified by a pattern that matches it,
is overridden and made
irrelevant (in the translation) by the qualifying
pattern. Specifically, all extension
patterns and the default pattern are made irrelevant
by the presence of the path
prefix pattern "/*" in a deployment descriptor.
Patterns qualified by the "/*"
pattern violate the URLPatternSpec constraints of
WebResourcePermission and
WebUserDataPermission names and must be rejected by
the corresponding
permission constructors."
The syntax of a URLPatternSpec is as follows: see http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html
          URLPatternList ::= URLPattern | URLPatternList colon URLPattern

          URLPatternSpec ::= null | URLPattern | URLPattern colon URLPatternList
It goes on to say "................... The first URLPattern in a URLPatternSpec may be any
of the pattern types, exact, path-prefix, extension, or default as defined in the Java Servlet
Specification)." AIUI "/*" is neither exact, nor
                                                                                         
 path-prefix ("/" followed by "/*"), nor
                                                                                         
 extension (e.g. *.jsp), nor
                                                                                         
 default ("/")
           I think we should reject "/*" as an invalid URLPattern. Tomcat does the same and
that explains G-1448.

> Web app security on /* causes deployment exception
> --------------------------------------------------
>
>          Key: GERONIMO-1585
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1585
>      Project: Geronimo
>         Type: Bug
>   Components: web, security
>     Versions: 1.0
>  Environment: Geronimo 1.0 with Jetty
>     Reporter: Aaron Mulder
>     Priority: Critical
>      Fix For: 1.0.1, 1.1

>
> Deploying a web app with the following security block causes a deployment error:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Pages</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>User</role-name>
>         </auth-constraint>
>     </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
>     org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
>         ...
>     Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec
cannot match the first URLPattern
>         at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
>         at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
>         ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to
work too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message