Return-Path: 
 <user-return-4777-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-user-archive@www.apache.org
Received: (qmail 43425 invoked from network); 21 Sep 2006 21:18:06 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 21 Sep 2006 21:18:06 -0000
Received: (qmail 94010 invoked by uid 500); 21 Sep 2006 21:18:00 -0000
Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org
Received: (qmail 93980 invoked by uid 500); 21 Sep 2006 21:18:00 -0000
Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:user-help@geronimo.apache.org>
list-unsubscribe: <mailto:user-unsubscribe@geronimo.apache.org>
List-Post: <mailto:user@geronimo.apache.org>
Reply-To: user@geronimo.apache.org
List-Id: <user.geronimo.apache.org>
Delivered-To: mailing list user@geronimo.apache.org
Received: (qmail 93969 invoked by uid 99); 21 Sep 2006 21:18:00 -0000
Received: from idunn.apache.osuosl.org (HELO idunn.apache.osuosl.org)
 (140.211.166.84)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Sep 2006 14:18:00 -0700
Authentication-Results: idunn.apache.osuosl.org
 header.from=colebatchd@gmail.com; domainkeys=good
Authentication-Results: idunn.apache.osuosl.org
 smtp.mail=colebatchd@gmail.com; spf=pass
X-ASF-Spam-Status: No, hits=0.5 required=5.0 tests=DNS_FROM_RFC_ABUSE
Received-SPF: pass (idunn.apache.osuosl.org: domain gmail.com designates
 64.233.184.238 as permitted sender)
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing
 draft-delany-domainkeys-base-01
Received: from [64.233.184.238] ([64.233.184.238:42160]
 helo=wr-out-0506.google.com)
	by idunn.apache.osuosl.org (ecelerity 2.1.1.8 r(12930)) with ESMTP
	id F8/45-03726-68103154 for <user@geronimo.apache.org>;
 Thu, 21 Sep 2006 14:17:58 -0700
Received: by wr-out-0506.google.com with SMTP id 57so459611wri
        for <user@geronimo.apache.org>; Thu, 21 Sep 2006 14:17:56 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=OXitndZQBbI83oTGw9RJvgm8InY8XSlS7vzLzueH36pLJkOL77XoAGv1Z7nEQGTP+nF6Qg4sR+93jHUVBxW5PucukuTfe8K0HGu5RYRMLI2IGDx9vG1ThBIBpKoPHpUo46M8f8tswhbhoZm9OCp5xtlGx7TVk8zjyfaFPq64Lec=
Received: by 10.90.63.16 with SMTP id l16mr7830850aga;
        Thu, 21 Sep 2006 14:17:56 -0700 (PDT)
Received: by 10.90.72.3 with HTTP; Thu, 21 Sep 2006 14:17:55 -0700 (PDT)
Message-ID: <7ee306c00609211417u210e3021k283e7747b7262dde@mail.gmail.com>
Date: Fri, 22 Sep 2006 07:17:55 +1000
From: "Dmitri Colebatch" <colebatchd@gmail.com>
To: user@geronimo.apache.org
Subject: IllegalStateException caused by incorrect merging of role mappings
In-Reply-To: <7ee306c00609201916p3f446141mde953fc0e232a5d3@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <7ee306c00609201916p3f446141mde953fc0e232a5d3@mail.gmail.com>
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

(I sent this yesterday but don't think the subscription service picked
up my correct from address so am sending again - apologies if it
appeas twice).

Hi all,

I'm new to geronimo and am looking at the possibility of migrating
some fairly simple webapps from WLX9.1 to Geronimo/Jetty.  I've hit a
snag related to the way I have my security config setup and I think
its a bug in Geronimo - more than happy to be corrected but would
appreciate if any other users (or developers) could offer some
thoughts on this.

I have the following in my web.xml:

 <security-constraint>
   <web-resource-collection>
     <web-resource-name>Struts pages</web-resource-name>
     <url-pattern>*.do</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name>*</role-name>
   </auth-constraint>
 </security-constraint>
 <security-constraint>
   <web-resource-collection>
   <web-resource-name>Login page</web-resource-name>
     <url-pattern>/login.do</url-pattern>
     <http-method>GET</http-method>
   </web-resource-collection>
 </security-constraint>

So the outcome I want is that in general struts pages require
authentication, but the login page doesn't require authentication
(obviously).  This has been working fine on WL but when I try to
deploy on Geronimo I get this:

Caused by: java.lang.IllegalArgumentException: Only exact and
path-prefix qualifiers in the URLPatternSpec are allowed when first
URLPattern is an extension pattern
       at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:82)
       at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
       at org.apache.geronimo.web.deployment.AbstractWebModuleBuilder.buildSpecSecurityConfig(AbstractWebModuleBuilder.java:357)

Debugging through the code, AbstractWebModuleBuilder is merging all
the patterns including ones that don't require authentication and so
is trying to create a WebResourcePermission instance with the string
"*.do:/login.do".

The servlet spec section "12.8.1 Combining constraints" says:

"A security constraint that does not contain an authorization
constraint shall combine with authorization constraints that name or
imply roles to allow unauthenticated access."

So I'm assuming what I'm doing is ok and this is a bug with Geromino.
Anyone have any thoughts/suggestions before I raise a bug?

cheers
dim