geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmitri Colebatch (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
Date Fri, 22 Sep 2006 00:45:22 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12436703 ] 
            
Dmitri Colebatch commented on GERONIMO-1585:
--------------------------------------------

I'd like to add some related thoughts to this:

I have the following in my web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Struts pages</web-resource-name>
    <url-pattern>*.do</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
</security-constraint>
<security-constraint>
  <web-resource-collection>
  <web-resource-name>Login page</web-resource-name>
    <url-pattern>/login.do</url-pattern>
    <http-method>GET</http-method>
  </web-resource-collection>
</security-constraint>

So the outcome I want is that in general struts pages require
authentication, but the login page doesn't require authentication
(obviously).  This has been working fine on WL but when I try to
deploy on Geronimo I get this:

Caused by: java.lang.IllegalArgumentException: Only exact and
path-prefix qualifiers in the URLPatternSpec are allowed when first
URLPattern is an extension pattern
      at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:82)
      at 
javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
      at 
org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357)

Debugging through the code, AbstractWebModuleBuilder is merging all
the patterns including ones that don't require authentication and so
is trying to create a WebResourcePermission instance with the string
"*.do:/login.do".

The servlet spec section "12.8.1 Combining constraints" says:

"A security constraint that does not contain an authorization
constraint shall combine with authorization constraints that name or
imply roles to allow unauthenticated access."

I realise this isn't exactly what this bug is about, but it should be addressed at the same
time.

> Web app security on /* causes deployment exception
> --------------------------------------------------
>
>                 Key: GERONIMO-1585
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-1585
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web, security
>    Affects Versions: 1.1
>         Environment: Geronimo 1.0 with Jetty and tomcat
>            Reporter: Aaron Mulder
>            Priority: Critical
>             Fix For: 1.1.x
>
>         Attachments: security.patch
>
>
> Deploying a web app with the following security block causes a deployment error:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Pages</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>User</role-name>
>         </auth-constraint>
>     </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
>     org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
>         ...
>     Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec
cannot match the first URLPattern
>         at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
>         at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
>         ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to
work too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message