aspose file tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes web app security - Dueling auth-constraint elements Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Reply Bookmark "web app security - Dueling auth-constraint elements" Watch "web app security - Dueling auth-constraint elements" New topic
Author

web app security - Dueling auth-constraint elements

Vidya Sethuraman
Ranch Hand

Joined: Sep 28, 2003
Posts: 45
posted private message
0
Quote
Hi,
I have a doubt regarding Deuling <auth-constraint> elements.
How does the container resolve access
if one security-constraint, has empty <auth-constraint/> tag and
the other constraint has
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Which one does it consider?
Allow access to everybody or allow access to nobody.

Thanks!

Vidya <br />(SCJP 1.4)
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14670
    
  11

I like...
Eclipse IDE Ubuntu VI Editor
posted private message
0
Quote
Ithink this is described in the spec :

SRV.12.8.1 Combining Constraints

The special case of an authorization
constraint that names no roles shall combine with any other constraints to override
their affects and cause access to be precluded.

So nobody will have access. If anybody could comment on that, I'm not feeling 100% sure.

[My Blog]
All roads lead to JavaRanch
Vidya Sethuraman
Ranch Hand

Joined: Sep 28, 2003
Posts: 45
posted private message
0
Quote
Hi,

Thanks for the quick reply! I read the spec and I think an empty <auth-constraint> is always the final word!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: web app security - Dueling auth-constraint elements
 
Similar Threads
Authorisation related
Marcus Green Quiz 1 - Mock Exam Question Doubt
Dueling auth-constraint elements
Doubt on Security
Doubts: Mock by HFSJ 1st Edt