*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Question on Rules of auth-constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Question on Rules of auth-constraint" Watch "Question on Rules of auth-constraint" New topic
Author

Question on Rules of auth-constraint

Luke
Greenhorn

Joined: Sep 14, 2005
Posts: 10
Hi

On HFSJ page 639, It gives the following rules

Case 1


Contents of A
--------------------
<auth-constraint>
<role-name>Guest</role-name>
</auth-constraint>

Contents of B
-----------------

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

People can Access
-----------------------
Guest & Admin


Case 2

Contents of A
--------------------
<auth-constraint>
<role-name>Guest</role-name
</auth-constraint>

Contents of B
-----------------
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

People can Access
-----------------------
All


Case 3


Contents of A
--------------------
<auth-constraint/>

Contents of B
-----------------
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

People can Access
-----------------------
None

Case 4


Contents of A
--------------------

No <auth-constraint> Element

Contents of B
-----------------
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>


People can Access
-----------------------
All


Now can u please explain who can access the following ?


Case 5


Contents of A
-----------------
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Contents of B
-----------------
<auth-constraint/>

People can Access
-----------------------
???

case 6


Contents of A
-----------------
<auth-constraint/>

Contents of B
-----------------
No <auth-constraint> Element
People can Access
-----------------------
???


I would like to know which takes precedence between (*,Empty tag && the No auth tag)

Thanks
[ September 14, 2005: Message edited by: Luke Augustus ]
B.Sathish
Ranch Hand

Joined: Aug 18, 2005
Posts: 372
I had asked the same question a few days back. I didnt get a reply. Looks like you can try it out and post the results . I feel the <auth-constraint/> would win
Esam Ahmed
Ranch Hand

Joined: Aug 10, 2005
Posts: 101
Case 5


Contents of A
-----------------
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Contents of B
-----------------
<auth-constraint/>

People can Access
-----------------------
???

NOBODY: because <auth-constraint /> interprets as it is declaring who are allowed, but anyway nobody is. It is an empty tag. Does not declare anybody with the body.

case 6


Contents of A
-----------------
<auth-constraint/>

Contents of B
-----------------
No <auth-constraint> Element
People can Access
-----------------------
???

NOBODY: No <auth-constraint> element is the same as allowing everybody as with:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

As noted in HFS/J (p 637): "NO <auth-constraint> is the opposite of an EMPTY <auth-constraint /> ! "

The rule also says: "an empty <auth-constraint> tag combines with anything else to allow access to nobody! In other words, an empty <auth-constraint> is always the final word." (From HFS/J p. 639)

Let me know if it is clear...

Esam.


Esam<br />SCJP 1.4, SCWCD 1.4
Luke
Greenhorn

Joined: Sep 14, 2005
Posts: 10
Esam

Thanks a lot. It�s clear now.

Thanks
Luke
 
Consider Paul's rocket mass heater.
 
subject: Question on Rules of auth-constraint
 
Similar Threads
auth-constraint doubt
HfSJ 637 page Errata
<auth-constraint/> and NO auth-constraint
Security Authorization Doubt
HFSJ Errata - error about auth-constraint