On 3/2/2011 4:12 AM, Mark Thomas wrote:
On 02/03/2011 06:54, Michael McCutcheon wrote:
I'm using Tomcat 7.0.8.
I have a servlet with a doGet method that has a @DenyAll annotation
applied to it.
However, when I run the servlet, it seems to make no difference, and
doGet is still called.
It was my understanding that @DenyAll was supposed to prevent access to
the method on which it is applied.
Do I need to turn something on to get Tomcat to recognize the security
annotations? I can't get any of the security annotations to do anything.
You need to read the Servlet 3 specification. @DenyAll is not part of
Servlet 3.0. To quote from the change log:
<quote>
Added a new annotation - @ServletSecurity (and associated annotation for
the fields) for defining security as opposed to re-using the
@RolesAllowed, @PermitAll, @DenyAll
</quote>
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Ahh thanks for that. It makes a bit more sense now.
However, I downloaded the Servlet 3.0 spec and used the exact examples
from the security chapter, and it still seems to ignore the annotations
completely:
I copied these right from the spec:
@ServletSecurity(@HttpConstraint(transportGuarantee =
TransportGuarantee.CONFIDENTIAL))
also this:
@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
Neither did anything.
I'm running Tomcat in Netbeans 7 beta 2. Would running in that
environment affect the security annotations?
thanks,
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
