svn commit: r1079769 - in /tomcat/trunk: java/org/apache/catalina/core/StandardWrapper.java java/org/apache/catalina/startup/ContextConfig.java test/webapp-3.0/WEB-INF/web.xml

Wed, 09 Mar 2011 04:21:26 -0800 

Author: markt
Date: Wed Mar  9 12:20:58 2011
New Revision: 1079769

URL: http://svn.apache.org/viewvc?rev=1079769&view=rev
Log:
CVE-2011-1088
Fix unit test failures

Modified:
    tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java
    tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
    tomcat/trunk/test/webapp-3.0/WEB-INF/web.xml

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java?rev=1079769&r1=1079768&r2=1079769&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java Wed Mar  9 
12:20:58 2011
@@ -1145,9 +1145,14 @@ public class StandardWrapper extends Con
         // Calling this twice isn't harmful so no syncs
         servletSecurityAnnotationScanRequired = false;
 
+        Context ctxt = (Context) getParent();
+        
+        if (ctxt.getIgnoreAnnotations()) {
+            return;
+        }
+
         ServletSecurity secAnnotation =
             servlet.getClass().getAnnotation(ServletSecurity.class);
-        Context ctxt = (Context) getParent();
         if (secAnnotation != null) {
             ctxt.addServletSecurity(
                     new ApplicationServletRegistration(this, ctxt),

Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java?rev=1079769&r1=1079768&r2=1079769&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java Wed Mar  9 
12:20:58 2011
@@ -366,11 +366,16 @@ public class ContextConfig
      */
     protected synchronized void authenticatorConfig() {
 
-        // Always need an authenticator to support @ServletSecurity annotations
         LoginConfig loginConfig = context.getLoginConfig();
         if (loginConfig == null) {
-            loginConfig = DUMMY_LOGIN_CONFIG;
-            context.setLoginConfig(loginConfig);
+            if (context.getIgnoreAnnotations())  {
+                return;
+            } else {
+                // Not metadata-complete, need an authenticator to support
+                // @ServletSecurity annotations
+                loginConfig = DUMMY_LOGIN_CONFIG;
+                context.setLoginConfig(loginConfig);
+            }
         }
 
         // Has an authenticator been configured already?

Modified: tomcat/trunk/test/webapp-3.0/WEB-INF/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/webapp-3.0/WEB-INF/web.xml?rev=1079769&r1=1079768&r2=1079769&view=diff
==============================================================================
--- tomcat/trunk/test/webapp-3.0/WEB-INF/web.xml (original)
+++ tomcat/trunk/test/webapp-3.0/WEB-INF/web.xml Wed Mar  9 12:20:58 2011
@@ -113,4 +113,7 @@
     
<url-pattern>/testStandardWrapper/securityAnnotationsMetaDataPriority</url-pattern>
  
   </servlet-mapping>
 
+  <login-config>
+    <auth-method>BASIC</auth-method>
+  </login-config>
 </web-app>
\ No newline at end of file



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to