From 801a33d367041ad1752ddfcae5348485ca928c25 Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@intalio.com>
Date: Thu, 19 Dec 2013 15:23:42 +1100
Subject: [PATCH] 424303  @ServletSecurity not applied on non load-on-startup
 servlets

---
 .../eclipse/jetty/servlet/ServletHolder.java  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java b/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java
index f4bea22baec..9e28d320e76 100644
--- a/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java
+++ b/jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java
@@ -323,6 +323,8 @@ public class ServletHolder extends Holder<Servlet> implements UserIdentity.Scope
                 throw ue;
         }
 
+        //check if we need to forcibly set load-on-startup
+        checkInitOnStartup();
 
         _identityService = _servletHandler.getIdentityService();
         if (_identityService!=null && _runAsRole!=null)
@@ -465,6 +467,23 @@ public class ServletHolder extends Holder<Servlet> implements UserIdentity.Scope
 
         return isStarted()&& _unavailable==0;
     }
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * Check if there is a javax.servlet.annotation.ServletSecurity
+     * annotation on the servlet class. If there is, then we force
+     * it to be loaded on startup, because all of the security 
+     * constraints must be calculated as the container starts.
+     * 
+     */
+    private void checkInitOnStartup()
+    {
+        if (_class==null)
+            return;
+        
+        if ((_class.getAnnotation(javax.servlet.annotation.ServletSecurity.class) != null) && !_initOnStartup)
+            setInitOrder(Integer.MAX_VALUE);    
+    }
 
     /* ------------------------------------------------------------ */
     private void makeUnavailable(UnavailableException e)