Return-Path: 
 <dev-return-24939-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 76709 invoked from network); 6 Feb 2006 23:26:23 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 6 Feb 2006 23:26:23 -0000
Received: (qmail 6312 invoked by uid 500); 6 Feb 2006 23:26:19 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 6268 invoked by uid 500); 6 Feb 2006 23:26:19 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 6257 invoked by uid 99); 6 Feb 2006 23:26:18 -0000
X-ASF-Spam-Status: No, hits=1.3 required=10.0
	tests=SPF_FAIL
X-Spam-Check-By: apache.org
Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Feb 2006 15:26:18 -0800
Received: from ajax.apache.org (ajax.apache.org [127.0.0.1])
	by ajax.apache.org (Postfix) with ESMTP id 47FD7C9
	for <dev@geronimo.apache.org>; Tue,  7 Feb 2006 00:25:57 +0100 (CET)
Message-ID: <953120058.1139268357273.JavaMail.jira@ajax.apache.org>
Date: Tue, 7 Feb 2006 00:25:57 +0100 (CET)
From: "Anita Kulshreshtha (JIRA)" <dev@geronimo.apache.org>
To: dev@geronimo.apache.org
Subject: [jira] Commented: (GERONIMO-1585) Web app security on /* causes
 deployment exception
In-Reply-To: <537039468.1139157963963.JavaMail.jira@ajax.apache.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

    [ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12365362 ] 

Anita Kulshreshtha commented on GERONIMO-1585:
----------------------------------------------

This issue was discussed in G-603. Page 22, last paragraph of JACC reads -
"........................ 
Any pattern, qualified by a pattern that matches it,
is overridden and made
irrelevant (in the translation) by the qualifying
pattern. Specifically, all extension
patterns and the default pattern are made irrelevant
by the presence of the path
prefix pattern "/*" in a deployment descriptor.
Patterns qualified by the "/*"
pattern violate the URLPatternSpec constraints of
WebResourcePermission and
WebUserDataPermission names and must be rejected by
the corresponding
permission constructors."
The syntax of a URLPatternSpec is as follows: see http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html
          URLPatternList ::= URLPattern | URLPatternList colon URLPattern

          URLPatternSpec ::= null | URLPattern | URLPattern colon URLPatternList
It goes on to say "................... The first URLPattern in a URLPatternSpec may be any of the pattern types, exact, path-prefix, extension, or default as defined in the Java Servlet Specification)." AIUI "/*" is neither exact, nor
                                                                                           path-prefix ("/" followed by "/*"), nor
                                                                                           extension (e.g. *.jsp), nor
                                                                                           default ("/")
           I think we should reject "/*" as an invalid URLPattern. Tomcat does the same and that explains G-1448.

> Web app security on /* causes deployment exception
> --------------------------------------------------
>
>          Key: GERONIMO-1585
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1585
>      Project: Geronimo
>         Type: Bug
>   Components: web, security
>     Versions: 1.0
>  Environment: Geronimo 1.0 with Jetty
>     Reporter: Aaron Mulder
>     Priority: Critical
>      Fix For: 1.0.1, 1.1

>
> Deploying a web app with the following security block causes a deployment error:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Pages</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>User</role-name>
>         </auth-constraint>
>     </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
>     org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
>         ...
>     Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec cannot match the first URLPattern
>         at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
>         at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
>         ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to work too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira