atom feed4 messages in org.apache.tomcat.usersRe: @DenyAll does nothing
FromSent OnAttachments
Michael McCutcheonMar 1, 2011 10:54 pm 
Mark ThomasMar 2, 2011 4:11 am 
Michael McCutcheonMar 2, 2011 6:53 am 
Mark ThomasMar 2, 2011 8:41 am 
Subject:Re: @DenyAll does nothing
From:Mark Thomas (mar@apache.org)
Date:Mar 2, 2011 8:41:07 am
List:org.apache.tomcat.users

On 02/03/2011 14:53, Michael McCutcheon wrote:

However, I downloaded the Servlet 3.0 spec and used the exact examples from the security chapter, and it still seems to ignore the annotations completely:

I copied these right from the spec:

@ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))

also this:

@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))

Neither did anything.

Oh <insert expletive of your choice>. That isn't good. I see the same thing with my simple test case. It looks like @ServletSecurity(...) annotations are completely ignored. Makes you wonder how Tomcat 7 passed the Servlet 3.0 TCK (and the current code does, I was running the TCK when I read you e-mail).

I need to investigate further to see exactly what is going on. I was about to start the 7.0.10 release process. I'll hold off on that until we have got to the bottom of what is going on here the fixes (assuming fixes are required) will be included in 7.0.10.

Mark