424303 @ServletSecurity not applied on non load-on-startup servlets

2013-12-19 15:23:42 +11:00 · 2013-12-19 15:23:42 +11:00 · 801a33d367
parent 56b0fedf69
commit 801a33d367
1 changed files with 19 additions and 0 deletions
--- a/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java
+++ b/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java
@ -323,6 +323,8 @@ public class ServletHolder extends Holder<Servlet> implements UserIdentity.Scope
                throw ue;
        }

+        //check if we need to forcibly set load-on-startup
+        checkInitOnStartup();

        _identityService = _servletHandler.getIdentityService();
        if (_identityService!=null && _runAsRole!=null)
@ -465,6 +467,23 @@ public class ServletHolder extends Holder<Servlet> implements UserIdentity.Scope

        return isStarted()&& _unavailable==0;
    }
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * Check if there is a javax.servlet.annotation.ServletSecurity
+     * annotation on the servlet class. If there is, then we force
+     * it to be loaded on startup, because all of the security 
+     * constraints must be calculated as the container starts.
+     * 
+     */
+    private void checkInitOnStartup()
+    {
+        if (_class==null)
+            return;
+        
+        if ((_class.getAnnotation(javax.servlet.annotation.ServletSecurity.class) != null) && !_initOnStartup)
+            setInitOrder(Integer.MAX_VALUE);    
+    }

    /* ------------------------------------------------------------ */
    private void makeUnavailable(UnavailableException e)