From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Wed, 9 Mar 2011 12:20:58 +0000 (+0000)
Subject: CVE-2011-1088
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=b50dccd95ef7f38a757eec8a15b48b553af59486;p=tomcat7.0

CVE-2011-1088
Fix unit test failures

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1079769 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/java/org/apache/catalina/core/StandardWrapper.java b/java/org/apache/catalina/core/StandardWrapper.java
index 8e0c2ec5c..40b1e89f3 100644
--- a/java/org/apache/catalina/core/StandardWrapper.java
+++ b/java/org/apache/catalina/core/StandardWrapper.java
@@ -1145,9 +1145,14 @@ public class StandardWrapper extends ContainerBase
         // Calling this twice isn't harmful so no syncs
         servletSecurityAnnotationScanRequired = false;
 
+        Context ctxt = (Context) getParent();
+        
+        if (ctxt.getIgnoreAnnotations()) {
+            return;
+        }
+
         ServletSecurity secAnnotation =
             servlet.getClass().getAnnotation(ServletSecurity.class);
-        Context ctxt = (Context) getParent();
         if (secAnnotation != null) {
             ctxt.addServletSecurity(
                     new ApplicationServletRegistration(this, ctxt),
diff --git a/java/org/apache/catalina/startup/ContextConfig.java b/java/org/apache/catalina/startup/ContextConfig.java
index 04c702273..9b57fe9df 100644
--- a/java/org/apache/catalina/startup/ContextConfig.java
+++ b/java/org/apache/catalina/startup/ContextConfig.java
@@ -366,11 +366,16 @@ public class ContextConfig
      */
     protected synchronized void authenticatorConfig() {
 
-        // Always need an authenticator to support @ServletSecurity annotations
         LoginConfig loginConfig = context.getLoginConfig();
         if (loginConfig == null) {
-            loginConfig = DUMMY_LOGIN_CONFIG;
-            context.setLoginConfig(loginConfig);
+            if (context.getIgnoreAnnotations())  {
+                return;
+            } else {
+                // Not metadata-complete, need an authenticator to support
+                // @ServletSecurity annotations
+                loginConfig = DUMMY_LOGIN_CONFIG;
+                context.setLoginConfig(loginConfig);
+            }
         }
 
         // Has an authenticator been configured already?
diff --git a/test/webapp-3.0/WEB-INF/web.xml b/test/webapp-3.0/WEB-INF/web.xml
index c67fc9d92..0dd427588 100644
--- a/test/webapp-3.0/WEB-INF/web.xml
+++ b/test/webapp-3.0/WEB-INF/web.xml
@@ -113,4 +113,7 @@
     <url-pattern>/testStandardWrapper/securityAnnotationsMetaDataPriority</url-pattern>  
   </servlet-mapping>
 
+  <login-config>
+    <auth-method>BASIC</auth-method>
+  </login-config>
 </web-app>
\ No newline at end of file