-----question : which of the following can implement security in servlets(select the best answer)? a. declarative security. b. programmatic security. c. both a & b d. servlet does not provide inbuilt security.java Authentication and Authorization service(JAAS) has to be used in conjuction with servlets for security.
-----question . by which of the following means do communicating entities prove to one another that are acting on behalf of specific identies that are authorized for access ?select one choice. a. authorization b. authentication c. data integrity d. confidentiality e. all of above
for Authorization we have : <security-constraint> <web-resource-collection> <web-resource-name>..</web-resource-name> <url-pattern></url-pattern> <http-method></http-method> </web-resource-collection> <auth-constraint> <role-name>..</role-name> </auth-constraint> <user-data-constraint> <transport-guarentee></transport-guarantee> </user-data-constraint> </security-constraint> <security-role> <role-name>..</role-name> </security-role> <security-role-ref> <role-name>..</role-name> <role-link>..</role-link> </security-role-ref>
case2: For programatic security we have got only three method defined: boolean isUserInRole(String rolename) String getUserPrinciple() String getRemoteUser();
So now u can see ,if we have to secure our web-app resources we must have to declare through web.xml that which resources have restircted access and who all in which role can access it. Whereas in code (Programaticaly ) we can only determine if the resource is restricted or not .and if the user is authentic one.