tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: @DenyAll does nothing
Date Wed, 02 Mar 2011 16:41:30 GMT
On 02/03/2011 14:53, Michael McCutcheon wrote:
> However, I downloaded the Servlet 3.0 spec and used the exact examples
> from the security chapter, and it still seems to ignore the annotations
> completely:
> I copied these right from the spec:
> @ServletSecurity(@HttpConstraint(transportGuarantee =
> TransportGuarantee.CONFIDENTIAL))
> also this:
> @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
> Neither did anything.

Oh <insert expletive of your choice>. That isn't good. I see the same
thing with my simple test case. It looks like @ServletSecurity(...)
annotations are completely ignored. Makes you wonder how Tomcat 7 passed
the Servlet 3.0 TCK (and the current code does, I was running the TCK
when I read you e-mail).

I need to investigate further to see exactly what is going on. I was
about to start the 7.0.10 release process. I'll hold off on that until
we have got to the bottom of what is going on here the fixes (assuming
fixes are required) will be included in 7.0.10.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message