Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 67362 invoked from network); 10 Mar 2011 12:06:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Mar 2011 12:06:06 -0000 Received: (qmail 80871 invoked by uid 500); 10 Mar 2011 12:06:03 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 80803 invoked by uid 500); 10 Mar 2011 12:06:03 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 80794 invoked by uid 99); 10 Mar 2011 12:06:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Mar 2011 12:06:03 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 10 Mar 2011 12:06:01 +0000 Received: (qmail 67248 invoked by uid 99); 10 Mar 2011 12:05:39 -0000 Received: from localhost.apache.org (HELO [192.168.23.9]) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Mar 2011 12:05:39 +0000 Message-ID: <4D78BE89.6090004@apache.org> Date: Thu, 10 Mar 2011 12:05:29 +0000 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations References: <4D775AF5.6010602@apache.org> In-Reply-To: <4D775AF5.6010602@apache.org> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 09/03/2011 10:48, Mark Thomas wrote: > The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still > ignored when there are no security constraints defined in web.xml (a > typical use case). > > There will be a Tomcat 7.0.11 release shortly to address this. In the > meantime, the workaround of specifying at least one security constraint > in web.xml can be used to trigger the scanning of @SecurityAnnotations. 7.0.11 is available (details on the dev list) for testing. Not this is *not* the official release. That will happen if testing and voting complete successfully. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org