File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes security-constraint + http-methods Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "security-constraint + http-methods" Watch "security-constraint + http-methods" New topic
Author

security-constraint + http-methods

Steven Colley
Ranch Hand

Joined: Feb 18, 2005
Posts: 290
Hi folks, please help me here: (please, pay attention in capital letters).

"If there are NO <http-method>" elements, in the <web-resource-collection>, it would mean that NO http methods are allowed, by ANYONE in ANY role".

"But since we did put in one for GET, it means that ONLY GET is constrained, BUT "ANYONE" IN "ANY" role CAN access POST (or other HTTP methods for instance)."

and here:

"if you DO specify an <http-method> then only those methods specified will be constrained. In other words, once you specify even a single <http-method> YOU AUTOMATICALLY *ENABLE* ANY HTTP METHODS WICH YOU HAVE *NOT* SPECIFIED"


Could you explaim it to me please?

Tks.


SCJP | SCWCD | SCBCD | SCWSD 5 | SCEA (I) 1.4 | SCEA 5 | IBM SOA 669
Steven Colley
Ranch Hand

Joined: Feb 18, 2005
Posts: 290
Let me try to improve my question.

<security-constraint>
<web-resource-collection>
<web.resouorce-name>TEST</web.resouorce-name>
<url-pattern>/MyPath/*</url-pattern>
<http-method>GET</http-method>
<web-resource-collection>
<auth-constraint>
<role-name>Member</role-name>
</auth-constraint>
<security-constraint>

Member is allowed to access to "/MyPath/MyServlet" resource via GET - TRUE

My questions are:

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ??

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ??

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ??

Tks in advance.
Jayashree Mohan
Ranch Hand

Joined: Nov 23, 2005
Posts: 37
My answers are :

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ?? - NO

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ?? - NO

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ?? - YES
Connie Ky Leung
Ranch Hand

Joined: Jan 29, 2006
Posts: 42
1) YES
2) NO
3) YES


SCJP 1.4 - 91%, SCWCD - 97%, SCJP 5.0 - 83%, SCJP 6.0, OCEJWCD - 80%
Bhavna Jharbade
Ranch Hand

Joined: Sep 08, 2005
Posts: 69
Originally posted by Felipe Pittella:

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ??

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ??

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ??



Hi all,

I agree with Connie. Answers are

1) yes
2) No
3) Yes


SCJP1.4 (86%)
Steven Colley
Ranch Hand

Joined: Feb 18, 2005
Posts: 290
Hi Coonie and Jaya, please could youo help me to figure it out?

just making it clear so..

1) this works fine because the other HTTP methods like POST were released since GET was constrained, right?

2) is this because "Admin" is not part of the auth-constraint tag (role-name) since the constrained resource is using GET method, right?

3) Because "admin" is not a member of role-name, and it�s not using GET method.


Tks in advance.
shweta bulbule
Ranch Hand

Joined: Mar 24, 2006
Posts: 30
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta


Thanks,<br />Shweta
Connie Ky Leung
Ranch Hand

Joined: Jan 29, 2006
Posts: 42
Originally posted by shweta bulbule:
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta


I agree with the explaination of shweta bulbule.
The summary given is the essence of web security that should be memorized for the exam.
Connie Ky Leung
Ranch Hand

Joined: Jan 29, 2006
Posts: 42
Originally posted by shweta bulbule:
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta


Since <url-pattern> subelement <web-resource-collection> element is configured /MyPath/* in the example, I want to revise Shweta's explaination.

resource in MyPath directory of the web application +GET+role Member=YES
resource in MyPath directory of the web application+any method other than GET+any role= YES
resource in MyPath directory of the web application+GET+any role other than Memebr=FALSE

Please correct me if I am wrong.
Steven Colley
Ranch Hand

Joined: Feb 18, 2005
Posts: 290
Connie and Shweta ,

Tks so much, it will help me a lot.

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: security-constraint + http-methods
 
Similar Threads
security constraint : http-method
http-method element
If http-method is not specified, then nobody can access the resource ?
http method in web app security
web resource collection doubt