Basically this is a bug, we should not be using that attribute here as it only corresponds
to constraints applied directly to the servlet, and not other path based constrains. The
actual current constraint set is aggregated in the ServletRequestContext.
Fix is here:
From: "Paul K Moore" <paulkmoore(a)gmail.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Cc: undertow-dev(a)lists.jboss.org
Sent: Friday, 14 February, 2014 2:40:05 PM
Subject: Re: [undertow-dev] Security constraints and population of ServletSecurityInfo
Hi Stuart,
I’m checking it in the debugger, with a breakpoint in the doGet method of a
(test) servlet.
I then examine the request property at the following path:
request.exchange.attachments and look for the ServletRequestContext,
and from there the
currentServlet.managedServlet.servletInfo.servletSecurityInfo
I’ve put a Gist here:
https://gist.github.com/paulkmoore/8997728 so that you
can see the servlet and web.xml.
The reason for the investigation is that I’m using JASPI which relies on
ServletSecurityInfo being populated, as in the
JASPIAuthenticationMechanism.isMandatory() method here.
Make sense?
Paul
On 14 Feb 2014, at 02:40, Stuart Douglas <sdouglas(a)redhat.com> wrote:
> When you say 'in the request the ServletSecurityInfo is (correctly)
> populated.' how are you actually checking this?
>
> Stuart
>
> ----- Original Message -----
>> From: "Paul K Moore" <paulkmoore(a)gmail.com>
>> To: undertow-dev(a)lists.jboss.org
>> Sent: Thursday, 13 February, 2014 9:59:42 PM
>> Subject: [undertow-dev] Security constraints and population of
>> ServletSecurityInfo
>>
>> Hi all,
>>
>> I am seeing some odd behaviour regarding security constraints.
>>
>> If I add an @ServletSecurity annotation to a servlet, in the request the
>> ServletSecurityInfo is (correctly) populated.
>>
>> However, if I add (notionally) the same constraint in web.xml, the
>> ServletSecurityInfo is *not* populated (it’s actually a null).
>>
>> Is this the intended behaviour?
>>
>> Many thanks
>>
>> Paul
>>
>> PS: Undertow version is Undertow 1.0.0.Final-SNAPSHOT, I’ve not moved to
>> Wildfly 8.0.0 Final yet :)
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/undertow-dev
>>