Multiple url-patterns in web.xml are incorrectly parsed in security-constraint.

Description

Code in WebAppParser.java is wrong with web.xml snippets like this:

<security-constraint>
<web-resource-collection>
<web-resource-name>SomeName</web-resource-name>
<url-pattern>/SomeUrl/*</url-pattern>
<url-pattern>/AnotherUrl/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SomeRole</role-name>
</auth-constraint>
</secuirity-constraint>

A WebAppSecurityConstraint is first created, then the /SomeUrl/* is parsed and the WebAppSecurityConstraint url is set. Then /AnotherUrl/* is parsed and the same WebAppSecurityConstraint url is set again. Therefore some constraints are dropped.

The same applies for http-method.

The fix is here:

https://github.com/yziquel/org.ops4j.pax.web/commit/8ca09527e2cb1a4725ee68cd5cacd9b05d10957b

Environment

None

Status

Assignee

Achim Nierbeck

Reporter

Guillaume Yziquel

Labels

None

Components

Fix versions

Affects versions

Priority

Major
Configure