On 3/2/2011 4:12 AM, Mark Thomas wrote:
> On 02/03/2011 06:54, Michael McCutcheon wrote:
>> I'm using Tomcat 7.0.8.
>>
>> I have a servlet with a doGet method that has a @DenyAll annotation
>> applied to it.
>>
>> However, when I run the servlet, it seems to make no difference, and
>> doGet is still called.
>>
>> It was my understanding that @DenyAll was supposed to prevent access to
>> the method on which it is applied.
>>
>> Do I need to turn something on to get Tomcat to recognize the security
>> annotations? I can't get any of the security annotations to do anything.
> You need to read the Servlet 3 specification. @DenyAll is not part of
> Servlet 3.0. To quote from the change log:
> <quote>
> Added a new annotation - @ServletSecurity (and associated annotation for
> the fields) for defining security as opposed to re-using the
> @RolesAllowed, @PermitAll, @DenyAll
> </quote>
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Ahh thanks for that. It makes a bit more sense now.
However, I downloaded the Servlet 3.0 spec and used the exact examples
from the security chapter, and it still seems to ignore the annotations
completely:
I copied these right from the spec:
@ServletSecurity(@HttpConstraint(transportGuarantee =
TransportGuarantee.CONFIDENTIAL))
also this:
@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
Neither did anything.
I'm running Tomcat in Netbeans 7 beta 2. Would running in that
environment affect the security annotations?
thanks,
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|