4 messages in org.apache.tomcat.usersRe: @DenyAll does nothing| From | Sent On | Attachments |
|---|---|---|
| Michael McCutcheon | Mar 1, 2011 10:54 pm | |
| Mark Thomas | Mar 2, 2011 4:12 am | |
| Michael McCutcheon | Mar 2, 2011 6:53 am | |
| Mark Thomas | Mar 2, 2011 8:41 am |
| Subject: | Re: @DenyAll does nothing | |
|---|---|---|
| From: | Michael McCutcheon (mich...@att.net) | |
| Date: | Mar 2, 2011 6:53:57 am | |
| List: | org.apache.tomcat.users | |
On 3/2/2011 4:12 AM, Mark Thomas wrote:
On 02/03/2011 06:54, Michael McCutcheon wrote:
I'm using Tomcat 7.0.8.
I have a servlet with a doGet method that has a @DenyAll annotation applied to it.
However, when I run the servlet, it seems to make no difference, and doGet is still called.
It was my understanding that @DenyAll was supposed to prevent access to the method on which it is applied.
Do I need to turn something on to get Tomcat to recognize the security annotations? I can't get any of the security annotations to do anything.
You need to read the Servlet 3 specification. @DenyAll is not part of Servlet 3.0. To quote from the change log: <quote> Added a new annotation - @ServletSecurity (and associated annotation for the fields) for defining security as opposed to re-using the @RolesAllowed, @PermitAll, @DenyAll </quote>
Mark
Ahh thanks for that. It makes a bit more sense now.
However, I downloaded the Servlet 3.0 spec and used the exact examples from the security chapter, and it still seems to ignore the annotations completely:
I copied these right from the spec:
@ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
also this:
@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
Neither did anything.
I'm running Tomcat in Netbeans 7 beta 2. Would running in that environment affect the security annotations?
thanks, Mike