Bug 50015 - dynamic servlet security incomplete and badly distributed
Summary: dynamic servlet security incomplete and badly distributed
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: trunk
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-27 16:22 UTC by david jencks
Modified: 2010-10-08 09:22 UTC (History)
0 users


Attachments
patch for improved dynamic servlet security implementations (10.05 KB, patch)
2010-09-27 16:24 UTC, david jencks 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description david jencks 2010-09-27 16:22:54 UTC 
The current implementation of dynamic servlet security through ServletRegistration.Dynamic.setServletSecurity and the ServletContext.createServlet and addServlet methods is incomplete, and includes some logic that exposes internals of the tomcat security framework directly in the ServletRegistration.Dynamic implementation.

The attached patch:

- moves the logic that depends on the internals of tomcats security implementation from ApplicationServletRegistration to StandardContext where it can at least be overridden by e.g. jacc implementations

- provides notifications to StandardContext of users calling createServlet and addServlet on ApplicationContext/ServletContext so subclasses of StandardContext can implement the spec behavior without subclassing ApplicationContext.

This patch is generated from a tomcat copy that already has several other patches I've proposed applied.  Let me know if there are problems applying it.
Comment 1 david jencks 2010-09-27 16:24:07 UTC 
Created attachment 26088 [details]
patch for improved dynamic servlet security implementations
Comment 2 Mark Thomas 2010-10-08 09:22:03 UTC 
Thanks. Patch applied. Will be in 7.0.4 onwards.