Glassfish use the jsr 115/JACC standard to process security-constraints (and ejb method-permissions) as required by the Java EE platform spec. The 115 standard did not account for the potential inclusion of the colon character in the checked part of the request url. As such, A colon character occurring within a path-seqment will be syntactically indistinguishable from colons used by the WebResourcePermission and
WebUserDataPermission constructors to demarcate qualifying patterns.
URLPatternList ::= URLPattern | URLPatternList colon URLPattern
URLPatternSpec ::= null | URLPattern | URLPattern colon URLPatternList
see (for example)
http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html
so if you have colons in request urls, you must convert them to escaped encoding ("%3A") before submitting the request, or before including them as protected patterns in web.xml.
this problem is being addressed in the about to be filed Maintenance Release (MR) of JSR 115. The MR will require that the HttpServletRequest based constructors of WebResourcePermission and WebUserDataPermission, perform the encoding at permission construction, and that colons occuring in url-patterns within web.xml be encoded during the translation to permissions defined by the JACC Policy Configuration contract.
Ron
The above changes will be integrated in the Glassfish sorurce after the MR is filed, at which time it will no longer be necessary for you to replace colons with their escaped encoding.
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=286513