geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Closed: (GERONIMO-2763) JACC URLPatternSpec does not accept *do:login.do as it should
Date Thu, 15 Mar 2007 04:43:09 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Jencks closed GERONIMO-2763.
----------------------------------

    Resolution: Fixed

not sure why I didn't already close this.

> JACC URLPatternSpec does not accept *do:login.do as it should
> -------------------------------------------------------------
>
>                 Key: GERONIMO-2763
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-2763
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security, specs
>    Affects Versions: 1.1.1, 2.0-M1
>            Reporter: David Jencks
>         Assigned To: David Jencks
>             Fix For: 2.0-M2
>
>
> This problem was originally reported by Dmitry Colebach in GERONIMO-1585.  I've copied
his description here:
> I'd like to add some related thoughts to this:
> I have the following in my web.xml:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Struts pages</web-resource-name>
> <url-pattern>*.do</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login page</web-resource-name>
> <url-pattern>/login.do</url-pattern>
> <http-method>GET</http-method>
> </web-resource-collection>
> </security-constraint>
> So the outcome I want is that in general struts pages require
> authentication, but the login page doesn't require authentication
> (obviously). This has been working fine on WL but when I try to
> deploy on Geronimo I get this:
> Caused by: java.lang.IllegalArgumentException: Only exact and
> path-prefix qualifiers in the URLPatternSpec are allowed when first
> URLPattern is an extension pattern
> at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:82)
> at
> javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
> at
> org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357)
> Debugging through the code, AbstractWebModuleBuilder is merging all
> the patterns including ones that don't require authentication and so
> is trying to create a WebResourcePermission instance with the string
> "*.do:/login.do".
> The servlet spec section "12.8.1 Combining constraints" says:
> "A security constraint that does not contain an authorization
> constraint shall combine with authorization constraints that name or
> imply roles to allow unauthenticated access."
> I realise this isn't exactly what this bug is about, but it should be addressed at the
same time.
> [ Show ยป ]
> Dmitri Colebatch [21/Sep/06 05:43 PM] I'd like to add some related thoughts to this:
I have the following in my web.xml: <security-constraint> <web-resource-collection>
<web-resource-name>Struts pages</web-resource-name> <url-pattern>*.do</url-pattern>
<http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection>
<auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>Login
page</web-resource-name> <url-pattern>/login.do</url-pattern> <http-method>GET</http-method>
</web-resource-collection> </security-constraint> So the outcome I want is that
in general struts pages require authentication, but the login page doesn't require authentication
(obviously). This has been working fine on WL but when I try to deploy on Geronimo I get this:
Caused by: java.lang.IllegalArgumentException: Only exact and path-prefix qualifiers in the
URLPatternSpec are allowed when first URLPattern is an extension pattern at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:82)
at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54) at
org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357)
Debugging through the code, AbstractWebModuleBuilder is merging all the patterns including
ones that don't require authentication and so is trying to create a WebResourcePermission
instance with the string "*.do:/login.do". The servlet spec section "12.8.1 Combining constraints"
says: "A security constraint that does not contain an authorization constraint shall combine
with authorization constraints that name or imply roles to allow unauthenticated access."
I realise this isn't exactly what this bug is about, but it should be addressed at the same
time.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message