angler-fishThe Vulnerability History Project

CVE-2011-1088

      Start of fix for issue reported on users list that @ServletSecurity annotations were ignored.
This fix is not yet complete. This first part:
- Triggers the loading of the Wrapper before the constraints are processed to ensure that any @ServletSecurity annotations are taken account of
- Makes sure the constraints collection is thread-safe given new usage
- Adds scanning for @ServletSecurity when a Servlet is loaded
- Ensure there is always an authenticator when using the embedded Tomcat class so that @ServletSecurity will have an effect
- Adds a simple unit test to check @ServletSecurity annotations are processed
Further commits will add additional test cases and any changes required for those test cases to pass

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1076586 13f79535-47bb-0310-9956-ffa450edef68
by Pauline the Wren 2011-03-03 11:16:51 UTC
commit 5c8560f3054982abaa476d87ec031c439d58d66e
Tomcat Fix Ignored Security Annotations CVE-2011-1088 VCC CVE-2011-1183
java/org/apache/catalina/authenticator/AuthenticatorBase.java
-8
java/org/apache/catalina/core/StandardContext.java
+1 -2
java/org/apache/catalina/core/StandardWrapper.java
+1 -13
java/org/apache/catalina/startup/Tomcat.java
-9
test/org/apache/catalina/core/TestStandardWrapper.java
-73
expand_less