File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

http-method not specified

 
Kejal Shah
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi ranchers,
If you combine the errata of HFSJ book and the pages 634, 635, you'll end up confused.

Specific question is:
Wat wud happen if <http-method> element is not specified for a <url-pattern> in <web-resource-collection> of <security-constraint>

A. ALL http-methods are ALLOWED
B. ALL http-methods are CONSTRAINED

I think the answer shd be A. Please pour in your views
 
Kejal Shah
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Guys, any views on this one?
 
John Mallavalli
Ranch Hand
Posts: 46
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Kejal,
Even I think the answer should be A.
Cheers,
John
 
shiva viswanathan
Ranch Hand
Posts: 152
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think this will also depend on the role names specified under auth-constraint tag
 
Kejal Shah
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How?
 
shiva viswanathan
Ranch Hand
Posts: 152
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if you specify http method as get and role as Admin in auth constraint
then this means that only Admin can use get method to access the resource

however all other methods are unconstrained and can be accessed by all
 
Kejal Shah
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
wat you say is indeed true IF we specify any http-method. WAT IF we DON'T specify any http-method.
 
Bhumika Thakkar
Ranch Hand
Posts: 79
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) If http-method does not exist, then ALL methods are BLOCKED for ALL USERS
2) If <auth-constraint> does not exist, ALLOW ALL USERS w/o authentication
3) If <auth-constraint> exists but <role-name> does not exist then NO USERS ARE ALLOWED.

refer pg 636 HFS.
 
Kejal Shah
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep, tat's wat my query was. If you mix the errata and page 636, we end up all confused. Here's the errata

{634} hand written comment at the bottom;
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
should be:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed."

and here's teh link for quick ref. http://www.oreilly.com/catalog/headservletsjsp/errata/headservletsjsp.confirmed

I think:
if NO http-method specified -> ALL ALLOWED. If we think, this makes sense. The security-constraint element mentions the http-methods to be "constrained". Also, if you mention only GET in http-method, its constrained, but others, POST, PUT... are allowed. Goin by the same logic, NO http-method would mean, ALLOW ALL methods.

I think i'll try and let you guys know.
 
Bhumika Thakkar
Ranch Hand
Posts: 79
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"If no <http-method> element is present, then the constraint applies to all of the HTTP methods."
- SCWCD, Hanumant Deshmukh.
 
Kejal Shah
Ranch Hand
Posts: 87
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Phew! finally, i manged to try this out on jsp-examples provided with Tomcat5 installation.

http-method auth-constraint result
---------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name tomcat valid login allowed
invalid login not allowed

GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed

Verdict:
no http-method specified, ALL allowed, and it really depends on the auth-constraint.
 
Leandro Melo
Ranch Hand
Posts: 401
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kejal Shah:

Verdict:
no http-method specified, ALL allowed, and it really depends on the auth-constraint.


Hi Kejal. Actually the spec says the opposite (p. 133 of 2.4 servlet spec)!
no http-method specified, ALL CONSTRAINED
Check out this thread (specially the last post).
http://www.coderanch.com/t/170057/java-Web-Component-SCWCD/certification/security-constraint
[ July 28, 2005: Message edited by: Leandro Melo ]
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic