On 21/06/2013 07:39, Mark Thomas wrote: > Violeta Georgieva <miles...@gmail.com> wrote: > >> 2013/6/20 <ma...@apache.org> >>> >>> Author: markt Date: Thu Jun 20 10:38:49 2013 New Revision: >>> 1494915 >>> >>> URL: http://svn.apache.org/r1494915 Log: Servlet 3.1 Implement >>> the new deny-uncovered-http-methods element in server.xml > > That should have said web.xml > >> That's for the xml but what about annotations? > > Good catch. I think we probably do need to check those but I want to > re-read the spec and the EG discussion to be sure.
The spec is poorly written (it says deny-uncovered-methods is processed during deployment) but my understanding of the intention of this change is that these should be checked. >> We are processing them when loading the servlet. Shouldn't we add >> check for uncovered methods to the >> o.a.catalina.core.StandardContext.addServletSecurity(...): > > I don't have the code to hand right now so I'm not sure about that. > It isn't where I immediately thought of but it might be a better > place to do it. I was thinking of the code in the Wrapper but this is a better place. Should be fixed now. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org