[ https://issues.apache.org/jira/browse/GERONIMO-5577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Han Hong Fang updated GERONIMO-5577: ------------------------------------ Attachment: GERONIMO-5577.patch Highlight some important statements in the spec for this topic. - setServletSecurity of ServletRegistation.Dynamic: this method applies the security constraint to all mappings added to this ServletRegistration up until the point that the ServletContext from which it was obtained has been initialized. - The @ServletSecurity annotation is not applied to the url-patterns of a ServletRegistration created using the addServlet(String, Servlet) method of the ServletContext interface, unless the Servlet was constructed by the createServlet method of the ServletContext interface. - The @ServletSecurity annoation applies to the url-patterns of a ServletRegistration created using the addServlet(String, String) and addServlet(String, Class<?>) method of the ServletContext interface - Security constraints on URLs has following priority from high to low: web.xml, ServletRegistration.Dynamic.setServletSecurity(), @ServletSecurity BTW, the patch is for tomcat only. For jetty it is a todo item. Please help to review. Thanks! > Support ServeltSecurity annotation when the servlets are added by > ServletContext.addServlet methods > --------------------------------------------------------------------------------------------------- > > Key: GERONIMO-5577 > URL: https://issues.apache.org/jira/browse/GERONIMO-5577 > Project: Geronimo > Issue Type: New Feature > Security Level: public(Regular issues) > Components: web > Affects Versions: 3.0 > Reporter: Han Hong Fang > Assignee: Han Hong Fang > Attachments: GERONIMO-5577.patch > > > Servlet 3.0 spec has following statements in chapter 13.4.1. > The @ServletSecurity annotation provides an alternative mechanism for > defining access control constraints equivalent to those that could otherwise > have > been expressed declaratively via security-constraint elements in the portable > deployment descriptor or programmatically via the setServletSecurity method > of the ServletRegistration interface. Servlet containers MUST support the use > of the @ServletSecurity annotation on classes (and subclasses thereof) that > implement the javax.servlet.Servlet interface. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.