Return-Path: Delivered-To: apmail-announce-archive@www.apache.org Received: (qmail 70460 invoked from network); 9 Mar 2011 17:03:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Mar 2011 17:03:54 -0000 Received: (qmail 55521 invoked by uid 500); 9 Mar 2011 17:03:41 -0000 Delivered-To: apmail-announce-archive@apache.org Received: (qmail 55192 invoked by uid 500); 9 Mar 2011 17:03:41 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 17812 invoked by uid 99); 9 Mar 2011 10:48:52 -0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests= X-Spam-Check-By: apache.org Message-ID: <4D775AF5.6010602@apache.org> Date: Wed, 09 Mar 2011 10:48:21 +0000 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Tomcat Users List , announce@tomcat.apache.org, announce@apache.org, Tomcat Developers List Subject: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still ignored when there are no security constraints defined in web.xml (a typical use case). There will be a Tomcat 7.0.11 release shortly to address this. In the meantime, the workaround of specifying at least one security constraint in web.xml can be used to trigger the scanning of @SecurityAnnotations. Mark on behalf of the Apache Tomcat security team --------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscribe@apache.org For additional commands, e-mail: announce-help@apache.org