Hello everybody, I've got 02 questions.Pls help me to get clarified them.
[Q1]
<security-constraint>
<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
A part of a web.xml(deployment descriptor) is given above. As far as I know <auth-constraint> is optional and if we haven't used an <auth-constraint> element inside <security-constraint> element that paricular resource(combination of httpmethod + url
pattern) can be accessed by everybody. So accroding to the above web.xml(deployment descriptor) everybody can access that particular resource even without being authenticated. Since what is the point of creating a security constraint without <auth-constraint>?[since it doesn't do anything what its name implies without <auth-constrain>] I would be grateful if anybody can explain it since I'm a newcomer to SCWCD world.
[Q2]
<web-app>
<!-- Assume that required servlet+servlet mappings are here -->
<security-constraint>
<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>*</auth-constraint>
</security-constraint>
<!-- Assume that required servlet+servlet mappings are here -->
</web-app>
A part of a web.xml(Deplyment Descriptor) is given above. According to the above piece of tags I think that everybody can access that paricular resource(combination of httpmethod + url pattern). Is it wrong? If so explain it pls...
Regards,
VIRAJ