Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Qn on auth-constraint

 
Chandrakanth
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
which all the users can access this resource....if we have something like below:

because in 1st security constraint says nobody has access.
and in second security constraint says every body has access to a resource..


<web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/servlet</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint/>

</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/servlet</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>

</security-constraint>
</web-app>
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Nobody can access the resources because of <auth-constraint/>. If this is present then nobody can access the resources, though permission are granted in another secirity constaint for the same resource and http method.

Thanks
 
Chandrakanth
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thx for the reply
 
Akshay Kiran
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes thats right

<auth-constraint/> means NOBODY has access

but also note that, it is NOT the same as
<auth-constraint> being ABSENT -> this grants access to ALL.
which is same as
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic