Does tomcat 7.0.6 already support the SevletSercurity annotation in the servlet 3.0 specification?

Question

I was tring to use the ServletSecurity annotation of servlet 3.0 specification in the tomcat 7.0.6, but it seems that tomcat server doesn't scan the ServletSecurity annotation. The code is following,

@WebServlet(name="IndexServlet",urlPatterns={"/index"})
@DeclareRoles("ROLE_ADMIN")
@ServletSecurity(value=@HttpConstraint(rolesAllowed="ROLE_ADMIN"),httpMethodConstraints=@HttpMethodConstraint("GET"))
public class IndexServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  request.getRequestDispatcher("/WEB-INF/jsp/main.jsp").forward(request, response);
 }

}

So is there anyone who has tested the ServletSecurity annotation successfully in tomcat 7? Or the tomcat 7 doesn't support the ServletSecurity annotation yet?

I was confused by the problem for few days, so could someone figure it out for me? Any help is appreciated.

Answer 1

You need to remove httpMethodConstraints=@HttpMethodConstraint("GET")

An interesting "feature" in the spec is contraints are OR - not AND. So if you are requesting /index as a GET - the security constraint passes and the rolesAllowed constraint is ignored.

A third party library like SecurityFilter [ http://securityfilter.sourceforge.net/ ] will probably do a better job at constraint handling as compared to what is provided by the Servlet Spec.