[jira] Updated: (GERONIMO-5577) Support ServeltSecurity annotation when the servlets are added by ServletContext.addServlet methods

Wed, 08 Sep 2010 00:29:19 -0700 

     [ 
https://issues.apache.org/jira/browse/GERONIMO-5577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Han Hong Fang updated GERONIMO-5577:
------------------------------------

    Attachment: GERONIMO-5577.patch

Highlight some important statements in the spec for this topic.

- setServletSecurity of ServletRegistation.Dynamic:  this method applies the 
security constraint to all mappings added to this ServletRegistration up until 
the point that the ServletContext from which it was obtained has been 
initialized. 

- The @ServletSecurity annotation is not applied to the url-patterns of a 
ServletRegistration created using the addServlet(String, Servlet) method of the 
ServletContext interface, unless the Servlet was constructed by the 
createServlet method of the ServletContext interface.

- The @ServletSecurity annoation applies to the url-patterns of a 
ServletRegistration created using the addServlet(String, String) and 
addServlet(String, Class<?>) method of the ServletContext interface

- Security constraints on URLs has following priority from high to low: 
web.xml, ServletRegistration.Dynamic.setServletSecurity(), @ServletSecurity


BTW, the patch is for tomcat only. For jetty it is a todo item.

Please help to review. Thanks!



> Support ServeltSecurity annotation when the servlets are added by 
> ServletContext.addServlet methods
> ---------------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-5577
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5577
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: web
>    Affects Versions: 3.0
>            Reporter: Han Hong Fang
>            Assignee: Han Hong Fang
>         Attachments: GERONIMO-5577.patch
>
>
> Servlet 3.0 spec has following statements in chapter 13.4.1.
> The @ServletSecurity annotation provides an alternative mechanism for
> defining access control constraints equivalent to those that could otherwise 
> have
> been expressed declaratively via security-constraint elements in the portable
> deployment descriptor or programmatically via the setServletSecurity method
> of the ServletRegistration interface. Servlet containers MUST support the use
> of the @ServletSecurity annotation on classes (and subclasses thereof) that
> implement the javax.servlet.Servlet interface.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to