tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael McCutcheon <>
Subject Re: @DenyAll does nothing
Date Wed, 02 Mar 2011 14:53:57 GMT
On 3/2/2011 4:12 AM, Mark Thomas wrote:
> On 02/03/2011 06:54, Michael McCutcheon wrote:
>> I'm using Tomcat 7.0.8.
>> I have a servlet with a doGet method that has a @DenyAll annotation
>> applied to it.
>> However, when I run the servlet, it seems to make no difference, and
>> doGet is still called.
>> It was my understanding that @DenyAll was supposed to prevent access to
>> the method on which it is applied.
>> Do I need to turn something on to get Tomcat to recognize the security
>> annotations?  I can't get any of the security annotations to do anything.
> You need to read the Servlet 3 specification. @DenyAll is not part of
> Servlet 3.0. To quote from the change log:
> <quote>
> Added a new annotation - @ServletSecurity (and associated annotation for
> the fields) for defining security as opposed to re-using the
> @RolesAllowed, @PermitAll, @DenyAll
> </quote>
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Ahh thanks for that.  It makes a bit more sense now.

However, I downloaded the Servlet 3.0 spec and used the exact examples 
from the security chapter, and it still seems to ignore the annotations 

I copied these right from the spec:

@ServletSecurity(@HttpConstraint(transportGuarantee = 

also this:


Neither did anything.

I'm running Tomcat in Netbeans 7 beta 2.  Would running in that 
environment affect the security annotations?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message