2013/9/11 Mark Thomas <ma...@apache.org>: > On 11/09/2013 14:44, Konstantin Kolinko wrote: >> 2013/9/11 <ma...@apache.org>: >>> Author: markt >>> Date: Wed Sep 11 11:59:37 2013 >>> New Revision: 1521817 >>> >>> URL: http://svn.apache.org/r1521817 >>> Log: >>> Comment >>> >>> Modified: >>> tomcat/tc6.0.x/trunk/STATUS.txt >>> >>> Modified: tomcat/tc6.0.x/trunk/STATUS.txt >>> URL: >>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1521817&r1=1521816&r2=1521817&view=diff >>> ============================================================================== >>> --- tomcat/tc6.0.x/trunk/STATUS.txt (original) >>> +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Sep 11 11:59:37 2013 >>> @@ -103,6 +103,10 @@ PATCHES PROPOSED TO BACKPORT: >>> I think @Target change for @DenyAll is wrong. >>> Looking at Geronimo, @DenyAll has "@Target({ElementType.METHOD})" in >>> CA 1.0 there. >>> It is "@Target({ElementType.TYPE, ElementType.METHOD})" starting with >>> CA 1.1. >>> + markt: >>> + The CA 1.0 spec section 2.11 is explicit that DenyAll is permitted on >>> + classes. Geronimo and whatever source was used generate the official >>> Java >>> + EE 5 Javadoc are wrong. >> >> Ah, I see it. >> >> Nevertheless, it looks to me that it is not just a typo, but a genuine >> error, that was corrected in CA 1.1. It is mentioned in changelog, >> http://jcp.org/aboutJava/communityprocess/maintenance/jsr250/250ChangeLog.html >> -> "Maintenance Review 1," -> "2. Change the definition of the >> @DenyAll annotation" > > That looks like a Javadoc / implementation correction to me. The EG's > aren't always very good at keeping spec issues and RI issues separate. > >> Unless there is some evidence in mailing lists elsewhere, I think the >> question is which version of the class would pass a TCK. I think that >> Geronimo classes might have been tested better, than ones in Tomcat. > > If the Tomcat version failed a TCK, I'd challenge the failure on the > grounds of the CA 1.0 spec section 2.11. >
I would like to see either someone encountering and reporting this issue in Tomcat 6, or some existing implementation of CA 1.0 that has this change. I do not see enough grounds to change this class in Tomcat 6 now, It is legacy. Just googling, trying to find whether others noted this issue. http://www.oracle.com/technetwork/articles/javaee/security-annotation-142276.html does not have 'X' in "@DenyAll vs. TYPE" cell in a table. http://pic.dhe.ibm.com/infocenter/rsawshlp/v7r5m0/index.jsp?topic=%2Fcom.ibm.jee5.doc%2Ftopics%2Ftsecuringejee.html does not say that @DenyAll can be used at type level Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
