• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Webapp Security

 
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello everybody, I've got 02 questions.Pls help me to get clarified them.

[Q1]

<security-constraint>

<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

</security-constraint>


A part of a web.xml(deployment descriptor) is given above. As far as I know <auth-constraint> is optional and if we haven't used an <auth-constraint> element inside <security-constraint> element that paricular resource(combination of httpmethod + url pattern) can be accessed by everybody. So accroding to the above web.xml(deployment descriptor) everybody can access that particular resource even without being authenticated. Since what is the point of creating a security constraint without <auth-constraint>?[since it doesn't do anything what its name implies without <auth-constrain>] I would be grateful if anybody can explain it since I'm a newcomer to SCWCD world.


[Q2]
<web-app>

<!-- Assume that required servlet+servlet mappings are here -->

<security-constraint>

<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint/>

</security-constraint>



<security-constraint>

<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>*</auth-constraint>

</security-constraint>

<!-- Assume that required servlet+servlet mappings are here -->

</web-app>


A part of a web.xml(Deplyment Descriptor) is given above. According to the above piece of tags I think that everybody can access that paricular resource(combination of httpmethod + url pattern). Is it wrong? If so explain it pls...

Regards,
VIRAJ
 
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Viraj,

I will try to answer your 2 questions:


Q1. what is the point of creating a security constraint without <auth-constraint>?

Ans: If you dont use the <auth-constraint> element then anybody can make the request [but in a constrained way] for the resources specified by the <url-pattern> and <http-method> combination BUT if you specify <auth-constraint> element then ONLY the <role-name> specified inside it can make a constrained request.

Anyways your resources are requested/served in a constrained way even if you dont specify the <auth-constraint> element.

Q.2
Answer: Whenever you see 2 empty >auth-constraint> elements remember the golden rule "ACCESS IS GRANTED TO THE UNION OF ALL ROLES FROM BOTH THE <auth-constraint> ELEMENTS"

I hope I am able to Justify my Answer.
 
Ranch Hand
Posts: 292
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Q1. what is the point of creating a security constraint without <auth-constraint>?

Ans: If you dont use the <auth-constraint> element then anybody can make the request [but in a constrained way] for the resources specified by the <url-pattern> and <http-method> combination BUT if you specify <auth-constraint> element then ONLY the <role-name> specified inside it can make a constrained request.


It's not in a constrained way....absence of <auth-constraint> means unauthenticated access....
In the servlet spec. (page 97) it says:

An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests.


And its a very easy thing to try out and confirm it yourself.



Q.2
Answer: Whenever you see 2 empty >auth-constraint> elements remember the golden rule "ACCESS IS GRANTED TO THE UNION OF ALL ROLES FROM BOTH THE <auth-constraint> ELEMENTS"



This holds good for 2 non-empty <auth-constraint> sub-elements...whenever an empty <auth-constraint> sub-element is present in any one of the <security-constraint> elements the result is no access to nobody for the common constrained resources.
In the spec(page 98) it says:

The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.


[ December 11, 2006: Message edited by: Sayak Banerjee ]
 
Siddharth Purandare
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Sayak for the clarification....
 
Quick! Before anybody notices! Cover it up with this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic