Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1479: Different attitude on diverse webcontainers #1721
The subsequent snippet may make no sense, but it causes a different attitude with tomcat and the jetty plugin from maven.
If the following http configuration is used in the applicationContext-security.xml:
<http auto-config='true' use-expressions="true"
tomcat serves the website without problems but jetty gives the following exceptions when i try to access localhost:8282/ldapAuth :
HTTP ERROR 500
Problem accessing /ldapAuth/. Reason:
java.lang.IllegalArgumentException: Failed to evaluate expression 'ROLE_CARRIER'
org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Field or property 'ROLE_CARRIER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'
Powered by Jetty://
If i uncomment the line:
the application is successfully accessible on tomcat and jetty.
The following snippet shows my jetty-configuration in the pom.xml file:org.mortbay.jetty maven-jetty-plugin 10 8282 60000
Ramo Karahasan said:
i've created to examples "testApp" and "testApp2" . The version "testApp" includes the configuration: and works on tomcat 6.0.20 and not on the jetty plugin (the exception showed previously. The "testApp2" version is configured without the line (commented out). Again the tomcat version is 6.0.20 and the jetty-plugin has the version: 6.1.24
Luke Taylor said:
Ok, thanks for the samples. I think I see the problem. It's not a bug (at least not in Spring Security), but down to the way Jetty and Tomcat handle the welcome-file-list, which you have set to your index.xhtml (in testApp). If you remove that you will get the same error in both containers. When you request the root, Tomcat uses the URL "/index.html":
[DEBUG,ExpressionBasedFilterInvocationSecurityMetadataSource,http-8080-1] Converted URL to lowercase, from: '/index.xhtml'; to: '/index.xhtml'
Whereas Jetty uses the URL "/":
DEBUG,ExpressionBasedFilterInvocationSecurityMetadataSource,17066018@qtp-26991461-0] Converted URL to lowercase, from: '/'; to: '/'
So tomcat doesn't attempt to evaluate the invalid expression "ROLE_CARRIER"
I'm not sure which is correct, or if the servlet spec actually defines what it should be, but it's obviously something you'll need to tak account of if you're using different containers.