424303 @ServletSecurity not applied on non load-on-startup servlets

This commit is contained in:
Jan Bartel 2013-12-19 15:23:42 +11:00
parent 56b0fedf69
commit 801a33d367
1 changed files with 19 additions and 0 deletions

View File

@ -323,6 +323,8 @@ public class ServletHolder extends Holder<Servlet> implements UserIdentity.Scope
throw ue; throw ue;
} }
//check if we need to forcibly set load-on-startup
checkInitOnStartup();
_identityService = _servletHandler.getIdentityService(); _identityService = _servletHandler.getIdentityService();
if (_identityService!=null && _runAsRole!=null) if (_identityService!=null && _runAsRole!=null)
@ -466,6 +468,23 @@ public class ServletHolder extends Holder<Servlet> implements UserIdentity.Scope
return isStarted()&& _unavailable==0; return isStarted()&& _unavailable==0;
} }
/* ------------------------------------------------------------ */
/**
* Check if there is a javax.servlet.annotation.ServletSecurity
* annotation on the servlet class. If there is, then we force
* it to be loaded on startup, because all of the security
* constraints must be calculated as the container starts.
*
*/
private void checkInitOnStartup()
{
if (_class==null)
return;
if ((_class.getAnnotation(javax.servlet.annotation.ServletSecurity.class) != null) && !_initOnStartup)
setInitOrder(Integer.MAX_VALUE);
}
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
private void makeUnavailable(UnavailableException e) private void makeUnavailable(UnavailableException e)
{ {