File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Sharpen Your Pencil - PN 658 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Sharpen Your Pencil - PN 658" Watch "Sharpen Your Pencil - PN 658" New topic
Author

Sharpen Your Pencil - PN 658

Imran Vohra
Ranch Hand

Joined: Dec 12, 2005
Posts: 77

On page no 658 of HFSJ question is something like this

You want to constrain evrything within the foo/bar directory so that only those with a security role of Admin can invoke ANY HTTP methods on those resources.

Ans given on PN 660 is


In answer <http-method> is missing...so acording to my understanding even Admin will not be able to make a call with any http method. Because all http-methods are constrained.

Am I right .......... wrong somewhere?

Thanks
Imran
Shivani Chandna
Ranch Hand

Joined: Sep 18, 2004
Posts: 380
Hello,
When http-method is missing it means all HTTP methods (Get,put,delete,trace etc) are constrained. That is only role ADMIN can access any of the above methods for the given resource identified by the url-pattern.

Rgds,
Shivani


/** Code speaks louder than words */
Imran Vohra
Ranch Hand

Joined: Dec 12, 2005
Posts: 77

so, does not it mean that even for "Admin" also, all http-methods are constrained?

Thanks
Imran
salil verma
Greenhorn

Joined: Jun 03, 2006
Posts: 22
yup yup
If we don't specify <http-method> ,all the methods will be constrained . No one with any role will be able to access any of the http methods.
including admin also.
navat venu
Ranch Hand

Joined: May 14, 2006
Posts: 66
I agree with salil.

I believe answer given on Page#660 is wrong. Authors please clarify !

The correct answer should be

--------------------------------------------------------------------------
"You want to constrain evrything within the foo/bar directory so that only those with a security role of Admin can invoke ANY HTTP methods on those resources".

code:
-------------------------------------------------------------------------

<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-rsource-name>
<url-pattern>/foo/bar/*</url-pattern>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

</security-constraint>

--------------------------------------------------------------------------
Authors please correct me if i am wrong!!


-------------------- <br />SCJP 1.4<br />SCWCD 1.4<br />SCBCD 5(in progress)<br /> <br />"Do, what you think that you cannot do"
navat venu
Ranch Hand

Joined: May 14, 2006
Posts: 66
oh! sorry ,i forget to add http methods to above code

the correct code is :
--------------------------------------------------------------------
code:
-------------------------------------------------------------------------

<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-rsource-name>
<url-pattern>/foo/bar/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
<http-method>CONNECT</http-method>
<http-method>DELETE</http-method>
<http-method></http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

</security-constraint>

--------------------------------------------------------------------------
navat venu
Ranch Hand

Joined: May 14, 2006
Posts: 66
In above code pls ignore the last empty http method
i.e.,<http-method></http-method>
Amit Tayal
Ranch Hand

Joined: Apr 25, 2006
Posts: 51
Hi All
Answer mentioned by Shivani is correct i.e. in case no <http-method> is specified in web.xml then all the http menthods are constraint and only the defined role can access it.

I pasted the below mentioned code in web.xml and tried accessing the following url and it worked fine.
url: http://localhost:8080/SCWCD/selectBeer.do

<security-constraint>
<web-resource-collection>
<web-resource-name>amit</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>tomcat</role-name>
</auth-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
navat venu
Ranch Hand

Joined: May 14, 2006
Posts: 66
shivani & amit,

what do you think, whether answer given in Page#660 (HFSJ) is correct or not?

If not, what is the correct answer for that question? is the answer given by me is correct?

please clarify!!
Amit Tayal
Ranch Hand

Joined: Apr 25, 2006
Posts: 51
Hi Navat
Answer given on P660 (HFSJ) is perfectly allright.

You can even achieve the same goal using your answer but it is not a good way of doing it.

Amit
 
 
subject: Sharpen Your Pencil - PN 658
 
Similar Threads
scwcd companion question
question on authorization
Web app security
HFS exercise on page 658
HF security-constraint p. 660