HFS exercise on page 658

Hi

Have a question about HFS exercise
on page 658, the last scenario/statement and
its correctness. Didn't find any info
about it on errata pages. So guys, help me out
with this one!

Question was about putting right
elements into DD and the use case
was:

"You want to constrain everything
with foo/bar directory so that those
with a security role of Admin can
invoke ANY HTTP methods on those
resources.

According to HFS the correct answer is

security-constraint
web-resource-collection
web-resource-name Some Name /web-resource-name
url-pattern /foo/bar/* /url-pattern

/web-resource-collection

auth-constraint
role-name Admin /role-name
/auth-constraint
/security-constraint

Personally I disagree with the answer on page 660 due
to the following explanation:

Isn't so that if http-method IS OMITTED, no request
no matter which role, are allowed? For the Container to allow
any HTTP method (request) for foo/bar/* directory there is gotta be
at least one http-method declared element? Am I right?

JR

Though a constraint limits who can access a resource, its definition still centers upon who can access a resource, not by who can't.

http-method is designed to simply allow more precision to a constraint. If no http-method is specified, the constraint applies to all methods. Omitting http-method will only make your constraint method-agnostic.

Constraints can get pretty confusing and you can easily make mistakes if you're not careful. Here's a letter I may or may not have received recently from a sweet gal named Mary. Maybe someone here could help her out.

Dear JavaRanch,

My name is Mary and I own my own hiking trail in a private park just south of Denver, Colorado. People like to come to my trail to run, walk, hop, skip, and jump. The park that holds my trail allows pets but the humans on my trail aren't cleaning up after their dogs. Gross! I decide I don't want to allow dogs (or any other pets) on my trail anymore.

How do I fix that? I need a constraint for my trail!

So I set a constraint that only allows members of the "human" role.

Wonderful! No more dog poo!

A month later I start getting complaints from many of the older folks who walk my trail. They say that a lot of rowdy kids have caused problems with their running, hopping, skipping, and especially jumping! Bummer.

Now I need to prevent run, hop, skip, and jump travel-methods on my trail. My previous constraint applied to all methods of travel because I didn't specify any. Humans were allowed to travel however they wanted. So I added to my previous constraint the travel-method of "walk" so that humans could only walk on my trail. No running. No hopping. No skipping. And certainly no jumping!

Feeling pretty good about myself I took a vacation to Mexico for a couple weeks. But during my first day there, while working on my tan and sipping on a margarita, I received a phone call from the park ranger who said, "Mary, you're not going to believe this but I swear I just saw some dogs on your trail running, hopping, skipping, and dare I say... jumping!" My heart fell into my stomach as I realized how much poo I'd have to clean up when I get back.

What did I do wrong? What can I have the park ranger do to fix it? Don't you have any good ranch hands that can help me solve this?

Sincerely,
Mary Gotrubble

[ May 09, 2006: Message edited by: Marc Peabody ]

Look at the HFS page 634 and the comment written about
http-method GET /http-method. Briefly in it it was said
"If there were no http-method element, it would mean
that no HTTP methods are allowed, by ANYONE in any role. But
since we put in one role for GET, it means that only
GET is constrained...." I tried to apply this rule with
the exercise on page 658.

So either this explanation should be edited or the exercise
answer. Which one? Or should I just perform a test with Tomcat?

JR

[ May 10, 2006: Message edited by: janne RockGulf ]
[ May 10, 2006: Message edited by: janne RockGulf ]