Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question about Dueling auth-constraint elements

 
Jack Lee
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HFSJ describes the rules for dueling <auth-constraint> elements in page 639. There are four rules. But I am still confused by the following combinations:

1. * and empty <auth-constraint>
2. * and no <auth-constraint>
3. empty <auth-constraint> and no <auth-constraint

Acutally, these questions go down the simple one:

what's the priority order of *, empty, and no <auth-constraint>
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From the spec :
The combination of authorization constraints that name roles or that imply roles via the name �*� shall yield the union of the role names in the individual constraints as permitted roles.
A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. The special case of an authorization constraint that names no roles shall combine with any other constraints to override
their affects and cause access to be precluded.


So an empty constraint will override all others, denying access to the resource.
 
cheenu Dev
Ranch Hand
Posts: 276
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hey jack please search..all these posts had already been discussed.some time ago.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic