Bug Report: "java.lang.IllegalArgumentException: invalid URLPatternSpec" with a colon in a path

[lbochen123-sudo]

Brief Summary

When running Payara 7.2025.1 / JDK21 and URL has colon in path e.g.:
http://localhost:8080/app/view/test:code
http://localhost:8080/app/view/test%3Acode
the request is not forwarded to the applicaition but instead an error is logged

Payara 6.2025.10 is not affected

Expected Outcome

The request should be forwarded to the applicaition

Current Outcome

An error is logged and a 503 is thrown:
java.lang.IllegalArgumentException: invalid URLPatternSpec at jakarta.security.jacc.URLPatternSpec.setURLPatternArray(URLPatternSpec.java:326) at jakarta.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:79) at jakarta.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:141) at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:437) at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:425) at com.sun.enterprise.security.ee.authorization.WebAuthorizationManagerService.hasResourcePermission(WebAuthorizationManagerService.java:413) at com.sun.web.security.RealmAdapter.invokeWebSecurityManager(RealmAdapter.java:1492) at com.sun.web.security.RealmAdapter.preAuthenticateCheck(RealmAdapter.java:567) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:726) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:366) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:174) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:153) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:196)

Reproducer

Try using a url with a colon in the address path in any application - even if the page doesn't exist, you'll get a 503 error instead of a 404. URL encoding doesn't work either.

Operating System

Windows 11 Pro

JDK Version

Zulu JDK 21

Payara Distribution

Payara Server Full Profile

[Elifzeynepedman]

Hi @lbochen123-sudo,

I was able to reproduce the issue and I have escalated this to the platform development team as FISH-12533.

Thank you,
Elif