[2024-02-09T18:49:24.885241Z] [GF 7.0.11] [SEVERE] [] [com.sun.web.security.RealmAdapter] [tid: _ThreadID=30 _ThreadName=http-listener-1(3)] [levelValue: 1000] [[ Authentication passed, but authorization failed. java.lang.IllegalArgumentException: invalid URLPatternSpec at jakarta.security.jacc.URLPatternSpec.setURLPatternArray(URLPatternSpec.java:326) at jakarta.security.jacc.URLPatternSpec.(URLPatternSpec.java:79) at jakarta.security.jacc.WebResourcePermission.(WebResourcePermission.java:141) at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:454) at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:442) at com.sun.enterprise.security.ee.web.integration.WebSecurityManager.hasResourcePermission(WebSecurityManager.java:260) at com.sun.web.security.RealmAdapter.invokeWebSecurityManager(RealmAdapter.java:1151) at com.sun.web.security.RealmAdapter.preAuthenticateCheck(RealmAdapter.java:450) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:415) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:529) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:503) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:71) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:121) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:295) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:188) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:425) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:144) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:174) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:153) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:196) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:88) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:246) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:178) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:118) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:96) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:51) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:510) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:82) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:83) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:101) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:535) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:515) at java.base/java.lang.Thread.run(Thread.java:842)
I have tried granting permission in server.policy I've tried defining a web-resource in web.xml
Does this happen for a specific request URL? Does the URL contain a colon (character
:) ?If yes, then it looks like it's a bug in GlassFish. The server checks whether the caller has access to the URL resource, and passes the URL to the authorization service. As stated in WebResourcePermission​ docs,
:is used as separator between multiple URLs that should be checked with a single method call. If:is inside some URL, it should be escaped, which GlassFish doesn't do.You can raise an issue for the project maintainers and ask them if they can fix it. Or, if you can, avoid using
:in URLs.