Mock Exam doubt: Very interesting (tricky)

Which two statements are true about using the isUserInRole() method to implement Security in Java EE application ?
(Choose two)
1. It can be invoked only from doGet()
2. It can be used independently of getRemoteUser()
3. Can return true even when its argument is not defined as valid role name in DD.
4. Using isUserInRole() method overrides any declarative authentication related to the method in which it is invoked
5.Using isUserInRole() method overrides any declarative authorization related to the method in which it is invoked

Answer given: 2,3
I think its 2,5

Source: Enthuware JwebPlus 1.4

I believe 3 is correct. Remember that <security-role-ref> maps a hardcoded role (e.g. request.isUserInRole("BigWig")) name to declarative <security-role> elements in DD. So even though "BigWig" is not a valid role name, with the following in place in the DD, the above method returns true.

<security-role><role-name>Admin</role-name></security-role>

<security-role-ref>
<role-name>BigWig</role-name>
<role-link>Admin</role-link>
<security-role-ref>

Originally posted by Dee Brown:
I believe 3 is correct. Remember that <security-role-ref> maps a hardcoded role (e.g. request.isUserInRole("BigWig")) name to declarative <security-role> elements in DD. So even though "BigWig" is not a valid role name, with the following in place in the DD, the above method returns true.

<security-role><role-name>Admin</role-name></security-role>

<security-role-ref>
<role-name>BigWig</role-name>
<role-link>Admin</role-link>
<security-role-ref>

Yes, that's probably what they mean. However, you can argue that the reference to BigWig in the DD, defines BigWig as valid role-name. It even has a <role-name> tag for it.

Originally posted by gopal venu:
...
5.Using isUserInRole() method overrides any declarative authorization related to the method in which it is invoked

Answer given: 2,3
I think its 2,5

Source: Enthuware JwebPlus 1.4

5 is wrong because the method itself doesn't do any authorization - it just returns a boolean.

I agree with Jan.
Declarative authorization is always checked first by the container before forwarding to servlet. 5 must be wrong!

"Yes, that's probably what they mean. However, you can argue that the reference to BigWig in the DD, defines BigWig as valid role-name. It even has a <role-name> tag for it."

The role-name argument is not valid. According to the spec:

- "[<security-role>] is used to define roles that could be tested (i.e., by calling isUserInRole)...".

- "The security-role element contains the <b>definition of a security
role</b>."

- "The security-role-ref element contains the <b>declaration of a security
role reference</b> in the web application�s code. The declaration
consists of an optional description, the security role name used in the code, and an optional link to a security role."

Uh, OK, you're right Dee, well found. I stand corrected.
[ June 17, 2008: Message edited by: Jan Sterk ]