The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still ignored when there are no security constraints defined in web.xml (a typical use case).
There will be a Tomcat 7.0.11 release shortly to address this. In the meantime, the workaround of specifying at least one security constraint in web.xml can be used to trigger the scanning of @SecurityAnnotations. Mark on behalf of the Apache Tomcat security team --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
