• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Security Authorization Doubt

 
Ranch Hand
Posts: 152
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All ,

I have some scenarios about authorization which i am not very clear on

1.

<security-constraint>

.....

<http-method>GET</http-method>


<security-constraint>

(ie no <auth-constraint> )
What is the permissions of the users in such a case .
Does no role have access to GET method . What about other methods

2.

<security-constraint>
..........

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

(ie no HTTP method)

This means that Admin has access to all the methods what about other users


3.
<security-constraint>

.....

<http-method>GET</http-method>

</auth-constraint>
<security-constraint>

(ie empty auth-constraint with no role names )
What is accessibiltiy of GET and what about other methods.

I think this is one of the most confusing topics (of which even the authors are not sure :-) )

Can anyone please clarify . If possible sombody can provide a matrix of the possible combinations

Thanks
Shiva
 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )

<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.


<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)

You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence, everybody has access to ALL methods on the url-pattern.


<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )

I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET), everybody has access to them on the given url-pattern.

Please make sure u have the errata marked on ur copy of HFSJ, then the whole concept is crystal clear from the book itself.

In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.

Hope this helps!
Regards,
Ruchi.
[ June 01, 2005: Message edited by: Ruchi Kumar ]
 
shiva viswanathan
Ranch Hand
Posts: 152
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ruchi ,

</auth-cosntraint> was a type error

Anyway I had read already about the errate but still wasnt clear

Now I am pretty clear thanks to you.

But are you sure about the 2nd question since the permission of everbody (other than admin) should be no methods since no http-method tag means all methods are accessible by Admin , doesnt this automatically mean that others dont have permission on any of the methods

Thanks
Shiva
 
Ranch Hand
Posts: 357
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ruchi
can u plz send me link that where can i find this.

SVR.12.8.2, Page 98.

???
 
You would be much easier to understand if you took that bucket off of your head. And that goes for the tiny ad too!
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic