[jboss-dev] Security Dependency Mismatch Was: Where are allowable methods configured?
Andrew Lee Rubinger
andrew.rubinger at redhat.com
Wed Jul 1 01:42:45 EDT 2009
Looks to me like another case of mismatched dependencies.
From AS Branch_5_x "build" module:
[INFO] [dependency:tree]
[INFO] org.jboss.jbossas:jboss-as-build:pom:5.2.0-SNAPSHOT
[INFO] \- org.jboss.jbossas:jboss-as-aspects:jar:5.2.0-SNAPSHOT:compile
[INFO] \- org.jboss.aspects:jboss-security-aspects:jar:1.0.0.GA:compile
[INFO] \- javax.security:jacc:jar:1.0:compile
However I don't see the jacc JAR anywhere in the distribution (hence not
available at runtime):
JBOSS_HOME $> find . -name '*jacc*' > Nothing
Instead, we've got org.jboss.javaee:jboss-javaee declared by the
thirdparty module and placed into $JBOSS_HOME/common/lib. This JAR is
incorrectly *not* a dependency of the build module:
build $> mvn dependency:tree -Dincludes=org.jboss.javaee:jboss-javaee >
Nothing
So some fancy excludes on javax.security:jacc and an explicit additional
dependency upon org.jboss.javaee:jboss-javaee within Embedded yield an
error-free AS boot in the "default" config. :D
I'll add this to my list of tasks to revisit when looking at the AS
dependency chain.
S,
ALR
On 06/30/2009 06:31 PM, Andrew Lee Rubinger wrote:
> Booting Embedded I've got a fun exception informing me that methods
> "!GET,POST" are not allowed while creating a WebResourcePermission.
> These are the identical parameters passed in while running AS in
> Standalone. Where are the allowed HTTP methods configured? Does this
> ring any bells to anyone?
>
> Thx. :)
>
> 17:25:01,895 ERROR [AbstractKernelController] Error installing to Real:
> name=vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/http-invoker.sar/
> state=PreReal mode=Manual requiredState=Real
> org.jboss.deployers.spi.DeploymentException: Error deploying:
> jboss.jacc:service=jacc,id="vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/http-invoker.sar/invoker.war/",parent="http-invoker.sar"
>
> at
> org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
>
> at ...
> Caused by: java.lang.IllegalArgumentException: Could not create resource
> permission with pattern "/restricted/*" and methods: !GET,POST
> at
> org.jboss.web.WebPermissionMapping.createPermissions(WebPermissionMapping.java:229)
>
> at
> org.jboss.deployment.security.WarJaccPolicy.createPermissions(WarJaccPolicy.java:55)
>
> at
> org.jboss.deployment.security.WarJaccPolicy.createPermissions(WarJaccPolicy.java:38)
>
> at org.jboss.deployment.security.JaccPolicy.create(JaccPolicy.java:94)
> ...
> Caused by: java.lang.IllegalArgumentException: illegal HTTP method
> at
> javax.security.jacc.HttpMethodSpec.makeMethodSet(HttpMethodSpec.java:100)
> at javax.security.jacc.HttpMethodSpec.getMethodSet(HttpMethodSpec.java:74)
> at
> javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:137)
>
> at
> org.jboss.web.WebPermissionMapping.createPermissions(WebPermissionMapping.java:225)
>
>
> S,
> ALR
--
Andrew Lee Rubinger
Sr. Software Engineer
JBoss by Red Hat
http://exitcondition.alrubinger.com
More information about the jboss-development
mailing list