Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security-constraint + http-methods

 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi folks, please help me here: (please, pay attention in capital letters).

"If there are NO <http-method>" elements, in the <web-resource-collection>, it would mean that NO http methods are allowed, by ANYONE in ANY role".

"But since we did put in one for GET, it means that ONLY GET is constrained, BUT "ANYONE" IN "ANY" role CAN access POST (or other HTTP methods for instance)."

and here:

"if you DO specify an <http-method> then only those methods specified will be constrained. In other words, once you specify even a single <http-method> YOU AUTOMATICALLY *ENABLE* ANY HTTP METHODS WICH YOU HAVE *NOT* SPECIFIED"


Could you explaim it to me please?

Tks.
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let me try to improve my question.

<security-constraint>
<web-resource-collection>
<web.resouorce-name>TEST</web.resouorce-name>
<url-pattern>/MyPath/*</url-pattern>
<http-method>GET</http-method>
<web-resource-collection>
<auth-constraint>
<role-name>Member</role-name>
</auth-constraint>
<security-constraint>

Member is allowed to access to "/MyPath/MyServlet" resource via GET - TRUE

My questions are:

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ??

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ??

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ??

Tks in advance.
 
Jayashree Mohan
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My answers are :

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ?? - NO

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ?? - NO

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ?? - YES
 
Connie Ky Leung
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) YES
2) NO
3) YES
 
Bhavna Jharbade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Felipe Pittella:

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ??

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ??

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ??



Hi all,

I agree with Connie. Answers are

1) yes
2) No
3) Yes
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Coonie and Jaya, please could youo help me to figure it out?

just making it clear so..

1) this works fine because the other HTTP methods like POST were released since GET was constrained, right?

2) is this because "Admin" is not part of the auth-constraint tag (role-name) since the constrained resource is using GET method, right?

3) Because "admin" is not a member of role-name, and it�s not using GET method.


Tks in advance.
 
shweta bulbule
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta
 
Connie Ky Leung
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by shweta bulbule:
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta


I agree with the explaination of shweta bulbule.
The summary given is the essence of web security that should be memorized for the exam.
 
Connie Ky Leung
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by shweta bulbule:
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta


Since <url-pattern> subelement <web-resource-collection> element is configured /MyPath/* in the example, I want to revise Shweta's explaination.

resource in MyPath directory of the web application +GET+role Member=YES
resource in MyPath directory of the web application+any method other than GET+any role= YES
resource in MyPath directory of the web application+GET+any role other than Memebr=FALSE

Please correct me if I am wrong.
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Connie and Shweta ,

Tks so much, it will help me a lot.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic