atom feed4 messages in org.apache.tomcat.usersRe: @DenyAll does nothing
FromSent OnAttachments
Michael McCutcheonMar 1, 2011 10:54 pm 
Mark ThomasMar 2, 2011 4:11 am 
Michael McCutcheonMar 2, 2011 6:53 am 
Mark ThomasMar 2, 2011 8:41 am 
Subject:Re: @DenyAll does nothing
From:Michael McCutcheon (mich@att.net)
Date:Mar 2, 2011 6:53:34 am
List:org.apache.tomcat.users

On 3/2/2011 4:12 AM, Mark Thomas wrote:

On 02/03/2011 06:54, Michael McCutcheon wrote:

I'm using Tomcat 7.0.8.

I have a servlet with a doGet method that has a @DenyAll annotation applied to it.

However, when I run the servlet, it seems to make no difference, and doGet is still called.

It was my understanding that @DenyAll was supposed to prevent access to the method on which it is applied.

Do I need to turn something on to get Tomcat to recognize the security annotations? I can't get any of the security annotations to do anything.

You need to read the Servlet 3 specification. @DenyAll is not part of Servlet 3.0. To quote from the change log: <quote> Added a new annotation - @ServletSecurity (and associated annotation for the fields) for defining security as opposed to re-using the @RolesAllowed, @PermitAll, @DenyAll </quote>

Ahh thanks for that. It makes a bit more sense now.

However, I downloaded the Servlet 3.0 spec and used the exact examples from the security chapter, and it still seems to ignore the annotations completely:

I copied these right from the spec:

@ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))

also this:

@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))

Neither did anything.

I'm running Tomcat in Netbeans 7 beta 2. Would running in that environment affect the security annotations?

thanks, Mike