aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes web app security - Dueling auth-constraint elements Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "web app security - Dueling auth-constraint elements" Watch "web app security - Dueling auth-constraint elements" New topic
Author

web app security - Dueling auth-constraint elements

Vidya Sethuraman
Ranch Hand

Joined: Sep 28, 2003
Posts: 45
Hi,
I have a doubt regarding Deuling <auth-constraint> elements.
How does the container resolve access
if one security-constraint, has empty <auth-constraint/> tag and
the other constraint has
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Which one does it consider?
Allow access to everybody or allow access to nobody.

Thanks!


Vidya <br />(SCJP 1.4)
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

Ithink this is described in the spec :

SRV.12.8.1 Combining Constraints

The special case of an authorization
constraint that names no roles shall combine with any other constraints to override
their affects and cause access to be precluded.

So nobody will have access. If anybody could comment on that, I'm not feeling 100% sure.


[My Blog]
All roads lead to JavaRanch
Vidya Sethuraman
Ranch Hand

Joined: Sep 28, 2003
Posts: 45
Hi,

Thanks for the quick reply! I read the spec and I think an empty <auth-constraint> is always the final word!
 
Don't get me started about those stupid light bulbs.
 
subject: web app security - Dueling auth-constraint elements