geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Han Hong Fang (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-5577) Support ServeltSecurity annotation when the servlets are added by ServletContext.addServlet methods
Date Wed, 08 Sep 2010 07:28:32 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-5577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Han Hong Fang updated GERONIMO-5577:
------------------------------------

    Attachment: GERONIMO-5577.patch

Highlight some important statements in the spec for this topic.

- setServletSecurity of ServletRegistation.Dynamic:  this method applies the security constraint
to all mappings added to this ServletRegistration up until the point that the ServletContext
from which it was obtained has been initialized. 

- The @ServletSecurity annotation is not applied to the url-patterns of a ServletRegistration
created using the addServlet(String, Servlet) method of the ServletContext interface, unless
the Servlet was constructed by the createServlet method of the ServletContext interface.

- The @ServletSecurity annoation applies to the url-patterns of a ServletRegistration created
using the addServlet(String, String) and addServlet(String, Class<?>) method of the
ServletContext interface

- Security constraints on URLs has following priority from high to low: web.xml, ServletRegistration.Dynamic.setServletSecurity(),
@ServletSecurity


BTW, the patch is for tomcat only. For jetty it is a todo item.

Please help to review. Thanks!



> Support ServeltSecurity annotation when the servlets are added by ServletContext.addServlet
methods
> ---------------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-5577
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5577
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: web
>    Affects Versions: 3.0
>            Reporter: Han Hong Fang
>            Assignee: Han Hong Fang
>         Attachments: GERONIMO-5577.patch
>
>
> Servlet 3.0 spec has following statements in chapter 13.4.1.
> The @ServletSecurity annotation provides an alternative mechanism for
> defining access control constraints equivalent to those that could otherwise have
> been expressed declaratively via security-constraint elements in the portable
> deployment descriptor or programmatically via the setServletSecurity method
> of the ServletRegistration interface. Servlet containers MUST support the use
> of the @ServletSecurity annotation on classes (and subclasses thereof) that
> implement the javax.servlet.Servlet interface.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message