CVE-2011-1088

Fix unit test failures

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1079769 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/catalina/core/StandardWrapper.java

@@ -1145,9 +1145,14 @@ private void processServletSecurityAnnotation(Servlet servlet) {
         // Calling this twice isn't harmful so no syncs
         servletSecurityAnnotationScanRequired = false;
 
+        Context ctxt = (Context) getParent();
+
+        if (ctxt.getIgnoreAnnotations()) {
+            return;
+        }
+
         ServletSecurity secAnnotation =
             servlet.getClass().getAnnotation(ServletSecurity.class);
-        Context ctxt = (Context) getParent();
         if (secAnnotation != null) {
             ctxt.addServletSecurity(
                     new ApplicationServletRegistration(this, ctxt),

java/org/apache/catalina/startup/ContextConfig.java

@@ -366,11 +366,16 @@ protected void applicationAnnotationsConfig() {
      */
     protected synchronized void authenticatorConfig() {
 
-        // Always need an authenticator to support @ServletSecurity annotations
         LoginConfig loginConfig = context.getLoginConfig();
         if (loginConfig == null) {
-            loginConfig = DUMMY_LOGIN_CONFIG;
-            context.setLoginConfig(loginConfig);
+            if (context.getIgnoreAnnotations())  {
+                return;
+            } else {
+                // Not metadata-complete, need an authenticator to support
+                // @ServletSecurity annotations
+                loginConfig = DUMMY_LOGIN_CONFIG;
+                context.setLoginConfig(loginConfig);
+            }
         }
 
         // Has an authenticator been configured already?

test/webapp-3.0/WEB-INF/web.xml

@@ -113,4 +113,7 @@
     <url-pattern>/testStandardWrapper/securityAnnotationsMetaDataPriority</url-pattern>  
   </servlet-mapping>
 
+  <login-config>
+    <auth-method>BASIC</auth-method>
+  </login-config>
 </web-app>