Does tomcat 7.0.6 already support the SevletSercurity annotation in the servlet 3.0 specification?
-
24-10-2019 - |
Question
I was tring to use the ServletSecurity annotation of servlet 3.0 specification in the tomcat 7.0.6, but it seems that tomcat server doesn't scan the ServletSecurity annotation. The code is following,
@WebServlet(name="IndexServlet",urlPatterns={"/index"})
@DeclareRoles("ROLE_ADMIN")
@ServletSecurity(value=@HttpConstraint(rolesAllowed="ROLE_ADMIN"),httpMethodConstraints=@HttpMethodConstraint("GET"))
public class IndexServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/jsp/main.jsp").forward(request, response);
}
}
So is there anyone who has tested the ServletSecurity annotation successfully in tomcat 7? Or the tomcat 7 doesn't support the ServletSecurity annotation yet?
I was confused by the problem for few days, so could someone figure it out for me? Any help is appreciated.
Solution
You need to remove httpMethodConstraints=@HttpMethodConstraint("GET")
An interesting "feature" in the spec is contraints are OR - not AND. So if you are requesting /index
as a GET - the security constraint passes and the rolesAllowed constraint is ignored.
A third party library like SecurityFilter [ http://securityfilter.sourceforge.net/ ] will probably do a better job at constraint handling as compared to what is provided by the Servlet Spec.