It's not a secret anymore!
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Question about Dueling auth-constraint elements Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Question about Dueling auth-constraint elements" Watch "Question about Dueling auth-constraint elements" New topic

Question about Dueling auth-constraint elements

Jack Lee
Ranch Hand

Joined: Jun 06, 2006
Posts: 38
HFSJ describes the rules for dueling <auth-constraint> elements in page 639. There are four rules. But I am still confused by the following combinations:

1. * and empty <auth-constraint>
2. * and no <auth-constraint>
3. empty <auth-constraint> and no <auth-constraint

Acutally, these questions go down the simple one:

what's the priority order of *, empty, and no <auth-constraint>

SCJP 5.0<br />SCWCD 1.4
Christophe Verré

Joined: Nov 24, 2005
Posts: 14688

From the spec :
The combination of authorization constraints that name roles or that imply roles via the name �*� shall yield the union of the role names in the individual constraints as permitted roles.
A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. The special case of an authorization constraint that names no roles shall combine with any other constraints to override
their affects and cause access to be precluded.

So an empty constraint will override all others, denying access to the resource.

[My Blog]
All roads lead to JavaRanch
cheenu Dev
Ranch Hand

Joined: Nov 13, 2005
Posts: 276
hey jack please search..all these posts had already been discussed.some time ago.
I agree. Here's the link:
subject: Question about Dueling auth-constraint elements
It's not a secret anymore!