<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi Stuart,<div><br></div><div>I’m checking it in the debugger, with a breakpoint in the doGet method of a (test) servlet. </div><div><br></div><div>I then examine the request property at the following path:</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre">        </span><font face="Courier New">request.exchange.attachments</font> and look for the <font face="Courier New">ServletRequestContext</font>, </div><div><br></div><div>and from there the <font face="Courier New">currentServlet.managedServlet.servletInfo.servletSecurityInfo</font></div><div><br></div><div>I’ve put a Gist here: <a href="https://gist.github.com/paulkmoore/8997728">https://gist.github.com/paulkmoore/8997728</a> so that you can see the servlet and web.xml.</div><div><br></div><div>The reason for the investigation is that I’m using JASPI which relies on ServletSecurityInfo being populated, as in the JASPIAuthenticationMechanism.isMandatory() method <a href="https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/security/jaspi/JASPIAuthenticationMechanism.java?source=cc">here</a>.</div><div><br></div><div>Make sense?</div><div><br></div><div>Paul</div><div><br></div><div><br><div><div>On 14 Feb 2014, at 02:40, Stuart Douglas <<a href="mailto:sdouglas@redhat.com">sdouglas@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">When you say 'in the request the ServletSecurityInfo is (correctly) populated.' how are you actually checking this?<br><br>Stuart<br><br>----- Original Message -----<br><blockquote type="cite">From: "Paul K Moore" <<a href="mailto:paulkmoore@gmail.com">paulkmoore@gmail.com</a>><br>To: <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>Sent: Thursday, 13 February, 2014 9:59:42 PM<br>Subject: [undertow-dev] Security constraints and population of<span class="Apple-tab-span" style="white-space:pre">        </span>ServletSecurityInfo<br><br>Hi all,<br><br>I am seeing some odd behaviour regarding security constraints.<br><br>If I add an @ServletSecurity annotation to a servlet, in the request the<br>ServletSecurityInfo is (correctly) populated.<br><br>However, if I add (notionally) the same constraint in web.xml, the<br>ServletSecurityInfo is *not* populated (it’s actually a null).<br><br>Is this the intended behaviour?<br><br>Many thanks<br><br>Paul<br><br>PS: Undertow version is Undertow 1.0.0.Final-SNAPSHOT, I’ve not moved to<br>Wildfly 8.0.0 Final yet :)<br>_______________________________________________<br>undertow-dev mailing list<br><a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/undertow-dev<br><br></blockquote></blockquote></div><br></div></body></html>