• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

HF security-constraint p. 660

 
Ranch Hand
Posts: 293
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am confused about something on p. 660 of the Head First book.
Here is the security constraint they are working with:


<web-app...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Stuff</web-resource-name>
<url-pattern>/foo/bar/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>



At the bottom right of the page it says "We left off <http-method> so that NO HTTP Methods are accessible to anyone except Admins."

But if you look back on p. 634, it says on the comment at bottom right:
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."

I may be missing something here, but I thought that leaving them out would mean NO methods allowed for anyone.
(I checked in the errata and didn't see anything on this.)

Thoughts anyone???

TJ
 
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Terry,

By having zero <http-method>, we're constraining all the HTTP methods. And only users with the admin role can invoke these methods.

I think its a matter of how they phrased it that confused you.

HTH.
 
Terry Martinson
Ranch Hand
Posts: 293
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm still a bit confused. So, in the situation listed, can Admin role invoke any HTTP methods?

TJ
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yep, users with admin role can certainly invoke any of the HTTP methods. But anyone who does not have the admin role, cannot invoke any HTTP methods at all since they're all constrained.

HTH.
 
author
Posts: 9050
21
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Terry,

Thanks for your question.

I think that your confusion is reasonable, mostly because I think the big annotation on page 634 could be worded better, (and might actually be wrong... horrors!). So, what if the first sentence of the annotation read something like this:

"If there were NO <http-method> elements declared in the <w-r-c> it would mean that ALL methods are constrained, and can ONLY be accessed by those roles defined in the <auth-constraint> element."

Would that be clearer?

Thanks,

Bert
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It certainly sounds very clear to me now

Would it be in the official errata or would it be updated for 2nd ed?
 
Terry Martinson
Ranch Hand
Posts: 293
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Bert and Cheng. Now it all makes sense.
I did submit this out at the errata site late last week.

TJ
reply
    Bookmark Topic Watch Topic
  • New Topic