*/
protected synchronized void authenticatorConfig() {
- // Does this Context require an Authenticator?
- SecurityConstraint constraints[] = context.findConstraints();
- if ((constraints == null) || (constraints.length == 0))
- return;
+ // Always need an authenticator to support @ServletSecurity annotations
LoginConfig loginConfig = context.getLoginConfig();
if (loginConfig == null) {
loginConfig = DUMMY_LOGIN_CONFIG;
doTestSecurityAnnotationsAddServlet(true);
}
+ public void testSecurityAnnotationsNoWebXmlConstraints() throws Exception {
+ // Setup Tomcat instance
+ Tomcat tomcat = getTomcatInstance();
+
+ File appDir = new File("test/webapp-3.0-servletsecurity");
+ tomcat.addWebapp(null, "", appDir.getAbsolutePath());
+
+ tomcat.start();
+
+ ByteChunk bc = new ByteChunk();
+ int rc;
+ rc = getUrl("http://localhost:" + getPort() + "/",
+ bc, null, null);
+
+ assertNull(bc.toString());
+ assertEquals(403, rc);
+ }
+
private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
throws Exception {
--- /dev/null
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <!--
+ WARNING:
+ For the unit tests to work correctly, no security constraints may be
+ configured in the web.xml. A login-config section is permitted but not
+ necessary for the tests. Adding a login-config would require changing the
+ return code checked in the unit tests.
+ -->
+
+ <display-name>Tomcat Test Application</display-name>
+ <description>
+ Used as part of the Tomcat unit tests when a full web application is
+ required.
+ </description>
+
+ <servlet>
+ <servlet-name>RoleProtected</servlet-name>
+ <servlet-class>org.apache.catalina.core.TestStandardWrapper$RoleAllowServlet</servlet-class>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>RoleProtected</servlet-name>
+ <url-pattern>/</url-pattern>
+ </servlet-mapping>
+
+</web-app>
\ No newline at end of file
<section name="Tomcat 7.0.11 (markt)">
<subsection name="Catalina">
<changelog>
+ <fix>
+ CVE-2011-1088: Completed fix. Don't ignore @ServletSecurity
+ annotations. (markt)
+ </fix>
<add>
<bug>25060</bug>: Close Apache Commons DBCP datasources when the
associated JNDI naming context is stopped (e.g. for a non-global
<subsection name="Catalina">
<changelog>
<fix>
+ CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity
+ annotations. (markt)
+ </fix>
+ <fix>
<bug>27988</bug>: Improve reporting of missing files. (markt)
</fix>
<fix>
Improve shut down speed by not renewing threads during shut down when
the <code>ThreadLocalLeakPreventionListener</code> is enabled. (markt)
</fix>
- <fix>
- CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity
- annotations. (markt)
- </fix>
</changelog>
</subsection>
<subsection name="Coyote">
projects / tomcat7.0 / commitdiff