Bug Report: java.lang.IllegalArgumentException: invalid URLPatternSpec #7869
Description
Brief Summary
Since we migrated (without any other change in EARs or config) from Payara CE 6.2025.9 to Payara CE 7.2025.2, we are getting the following message in server.log:
[2026-01-12T15:08:55.919+0100] [Payara 7.2025.2] [SCHWERWIEGEND] [] [javax.enterprise.system.container.web.com.sun.web.security] [tid: _ThreadID=93 _ThreadName=http-thread-pool::http-listener-1(2)] [timeMillis: 1768226935919] [levelValue: 1000] [[
web_server.excep_authenticate_realmadapter
java.lang.IllegalArgumentException: invalid URLPatternSpec
at jakarta.security.jacc.URLPatternSpec.setURLPatternArray(URLPatternSpec.java:326)
at jakarta.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:79)
at jakarta.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:141)
at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:437)
at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:425)
at com.sun.enterprise.security.ee.authorization.WebAuthorizationManagerService.hasResourcePermission(WebAuthorizationManagerService.java:413)
at com.sun.web.security.RealmAdapter.invokeWebSecurityManager(RealmAdapter.java:1492)
at com.sun.web.security.RealmAdapter.preAuthenticateCheck(RealmAdapter.java:567)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:726)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:366)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217)
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:190)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:535)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:515)
at java.base/java.lang.Thread.run(Unknown Source)
As the software seems to be fully functional, I assume this is a bug in Payara.
Note that the deployed EARs do not make any use of Payara's built-in security features (we have custom JAX-RS filters in place to implement security), so it is really strange that the stack trace mentions authentication!
Expected Outcome
Nothing shall be found in log.
Current Outcome
[2026-01-12T15:08:55.919+0100] [Payara 7.2025.2] [SCHWERWIEGEND] [] [javax.enterprise.system.container.web.com.sun.web.security] [tid: _ThreadID=93 _ThreadName=http-thread-pool::http-listener-1(2)] [timeMillis: 1768226935919] [levelValue: 1000] [[
web_server.excep_authenticate_realmadapter
java.lang.IllegalArgumentException: invalid URLPatternSpec
at jakarta.security.jacc.URLPatternSpec.setURLPatternArray(URLPatternSpec.java:326)
at jakarta.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:79)
at jakarta.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:141)
at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:437)
at org.glassfish.exousia.AuthorizationService.checkWebResourcePermission(AuthorizationService.java:425)
at com.sun.enterprise.security.ee.authorization.WebAuthorizationManagerService.hasResourcePermission(WebAuthorizationManagerService.java:413)
at com.sun.web.security.RealmAdapter.invokeWebSecurityManager(RealmAdapter.java:1492)
at com.sun.web.security.RealmAdapter.preAuthenticateCheck(RealmAdapter.java:567)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:726)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:366)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217)
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:190)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:535)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:515)
at java.base/java.lang.Thread.run(Unknown Source)
Reproducer
We need to strip down our closed-source EAR experimentally, which needs days to weeks, so if a reproducer is really needed (I think the stack trace is pretty clear) the please contact me.
Operating System
Windows 10 Pro
JDK Version
Zulu JDK 21
Payara Distribution
Payara Server Full Profile