This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes web app security - Dueling auth-constraint elements Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "web app security - Dueling auth-constraint elements" Watch "web app security - Dueling auth-constraint elements" New topic
Author

web app security - Dueling auth-constraint elements

Vidya Sethuraman
Ranch Hand

Joined: Sep 28, 2003
Posts: 45
Hi,
I have a doubt regarding Deuling <auth-constraint> elements.
How does the container resolve access
if one security-constraint, has empty <auth-constraint/> tag and
the other constraint has
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Which one does it consider?
Allow access to everybody or allow access to nobody.

Thanks!


Vidya <br />(SCJP 1.4)
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

Ithink this is described in the spec :

SRV.12.8.1 Combining Constraints

The special case of an authorization
constraint that names no roles shall combine with any other constraints to override
their affects and cause access to be precluded.

So nobody will have access. If anybody could comment on that, I'm not feeling 100% sure.


[My Blog]
All roads lead to JavaRanch
Vidya Sethuraman
Ranch Hand

Joined: Sep 28, 2003
Posts: 45
Hi,

Thanks for the quick reply! I read the spec and I think an empty <auth-constraint> is always the final word!
 
GeeCON Prague 2014
 
subject: web app security - Dueling auth-constraint elements