On 09/03/2011 11:00, Henri Gomez wrote:
> 2011/3/9 Mark Thomas :
>> On 09/03/2011 10:48, Mark Thomas wrote:
>>> The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still
>>> ignored when there are no security constraints defined in web.xml (a
>>> typical use case).
>>
>> This was miss
2011/3/9 Mark Thomas :
> On 09/03/2011 10:48, Mark Thomas wrote:
>> The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still
>> ignored when there are no security constraints defined in web.xml (a
>> typical use case).
>
> This was missed by the unit tests due to the way I configured
On 09/03/2011 10:48, Mark Thomas wrote:
> The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still
> ignored when there are no security constraints defined in web.xml (a
> typical use case).
This was missed by the unit tests due to the way I configured the
authenticator. I have a fi
The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still
ignored when there are no security constraints defined in web.xml (a
typical use case).
There will be a Tomcat 7.0.11 release shortly to address this. In the
meantime, the workaround of specifying at least one security constra
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
As reported on the users list [1], both Tomcat 7.0.8 and the latest
Tomcat 7 code from svn appear to ignore @ServletSecurity annotations.
Assuming this issue is confirmed, it may lead to authentication bypass
and information disclosure.
The exact deta
