geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmitri Colebatch (JIRA)" <>
Subject [jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
Date Fri, 22 Sep 2006 00:45:22 GMT
    [ ] 
Dmitri Colebatch commented on GERONIMO-1585:

I'd like to add some related thoughts to this:

I have the following in my web.xml:

    <web-resource-name>Struts pages</web-resource-name>
  <web-resource-name>Login page</web-resource-name>

So the outcome I want is that in general struts pages require
authentication, but the login page doesn't require authentication
(obviously).  This has been working fine on WL but when I try to
deploy on Geronimo I get this:

Caused by: java.lang.IllegalArgumentException: Only exact and
path-prefix qualifiers in the URLPatternSpec are allowed when first
URLPattern is an extension pattern

Debugging through the code, AbstractWebModuleBuilder is merging all
the patterns including ones that don't require authentication and so
is trying to create a WebResourcePermission instance with the string

The servlet spec section "12.8.1 Combining constraints" says:

"A security constraint that does not contain an authorization
constraint shall combine with authorization constraints that name or
imply roles to allow unauthenticated access."

I realise this isn't exactly what this bug is about, but it should be addressed at the same

> Web app security on /* causes deployment exception
> --------------------------------------------------
>                 Key: GERONIMO-1585
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web, security
>    Affects Versions: 1.1
>         Environment: Geronimo 1.0 with Jetty and tomcat
>            Reporter: Aaron Mulder
>            Priority: Critical
>             Fix For: 1.1.x
>         Attachments: security.patch
> Deploying a web app with the following security block causes a deployment error:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Pages</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>User</role-name>
>         </auth-constraint>
>     </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
>     org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(
>         ...
>     Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec
cannot match the first URLPattern
>         at<init>(
>         at<init>(
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(
>         ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to
work too.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message