[jboss-jira] [JBoss JIRA] (WFLY-13044) WFLYSEC0012 Error in web.xml with similar Patterns

Franco Gimenez (Jira) issues at jboss.org
Fri Jan 31 08:37:11 EST 2020 

     [ https://issues.redhat.com/browse/WFLY-13044?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Franco Gimenez updated WFLY-13044:
----------------------------------
    Steps to Reproduce: 
Make two constraint, one deny access to all resources (with extension pattern and similar extension like "**.html", "**.htm", or "**.jsp", "**.js") and other allowing access to certain resource like "/index.html".
Start the application and see the error .

  was:
Make two constraint, one deny access to all resources (with extension pattern and similar extension like "*\.html", "*\.htm", or "*\.jsp", "*\.js") and other allowing access to certain resource like "/index.html".
Start the application and see the error .



> WFLYSEC0012 Error in web.xml with similar Patterns
> --------------------------------------------------
>
>                 Key: WFLY-13044
>                 URL: https://issues.redhat.com/browse/WFLY-13044
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 18.0.0.Final, 18.0.1.Final, 19.0.0.Beta1
>            Reporter: Franco Gimenez
>            Assignee: Flavia Rainone
>            Priority: Major
>         Attachments: app.zip, image-2020-01-31-10-28-27-872.png, server.log.zip, web.xml.zip
>
>
> There are a problem while two constraints are limiting the access to the same resource with extensión patterns and exact pattern. 
> In our web.xml we have two constraints. One limiting the access to all resources and other allowing access to certain files. 
> This is the web.xml to test the error:
>  !image-2020-01-31-10-28-27-872.png|thumbnail! 
> The problem happens when the "*.htm" is evaluated inside of the jboss-jacc-api_1.5 lib. It tries to match "/index.html" against "*.htm" pattern, when the implies function returns false, it throws the exception. 
> The log is: 
> {code:java}
> 2020-01-30 18:44:38,293 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 77) WFLYUT0021: Registered web context: '/issue-reproducer-1.0.0.Final-SNAPSHOT' for server 'default-server'
> 2020-01-30 18:44:38,302 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."issue-reproducer-1.0.0.Final-SNAPSHOT.war".jboss.security.jacc: org.jboss.msc.service.StartException in service jboss.deployment.unit."issue-reproducer-1.0.0.Final-SNAPSHOT.war".jboss.security.jacc: WFLYSEC0012: Unable to start the JaccService service
> 	at org.jboss.as.security.service.JaccService.start(JaccService.java:107)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.IllegalArgumentException: Invalid exact pattern in URLPatternList
> 	at javax.security.jacc.URLPatternSpec.setURLPatternArray(URLPatternSpec.java:314)
> 	at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:79)
> 	at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:160)
> 	at org.wildfly.extension.undertow.security.jacc.WarJACCService.createPermissions(WarJACCService.java:287)
> 	at org.wildfly.extension.undertow.security.jacc.WarJACCService.createPermissions(WarJACCService.java:64)
> 	at org.jboss.as.security.service.JaccService.start(JaccService.java:86)
> 	... 8 more
> {code}
> I add a test proyect and the complete log in my environment.
> With Wildfly 17 there are not error. 



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list