Open cyril-briquet opened 3 days ago
and I forgot to add: ...despite being logged in.
Devappserver code path is really different than prod. Could you also try to deploy in prod and report? Thanks!
I deployed the test files (test-files.txt) on the production server. Apparently, the production server is not impacted by this bug.
Thanks for attaching the repro app, @lachlan-roberts has already some ideas for a fix.
Your admin
security constraint is redundant as admin is already covered under *
.
I have been able to reproduce this, and removing the admin
constraint stopped me getting 403's.
I am still investigating why these are combining to not allow the request. In my tests I am not seeing the request for /index.html
reach the Jetty security handler at all.
I can even reproduce this on prod in the java8 runtime.
The request is not served by Jetty because it is detected as a static file, and I can see in app.yaml
. It has defined the required role as admin
instead of required
which would allow any user.
- url: (/index\.html)
static_files: __static__\1
upload: __NOT_USED__
require_matching_file: True
login: admin
secure: always
This is different to how these constrains would combine in the servlet spec which should go to required
. So if the request were to reach Jetty it should serve the index.html
.
When setting
<java21>
in appengine-web.xml, and when a security constraint is defined over a static file (e.g. index.html), the devserver (and probably the production server) responds with HTTP 403 instead of serving the file.Note that setting
<java17>
in appengine-web.xml is a workaround that prevents the issue.test-files.txt