Given the following incomplete extract from a deployment descriptor, what are possible ways of accessing the protected resource named TheCheckedServlet? (Choose three.) <security-constraint> <web-resource-collection> <web-resource-name>TheCheckedServlet</web-resource-name> <url-pattern>/CheckedServlet</url-pattern> </web-resource-collection> <auth-constraint /> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>TheCheckedServlet</web-resource-name> <url-pattern>/CheckedServlet</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>bigwig</role-name> </auth-constraint> </security-constraint> A.Via another URL pattern (if one is set up elsewhere within the deployment descriptor). B.Any authenticated user can access the resource. C.Any user (authenticated or not) can access the resource. D.Via RequestDispatcher.include(). E.Via RequestDispatcher.forward(). F.Via the URL pattern /CheckedServlet, provided the user is authenticated and has bigwig as a valid role.
The answer is A D E. Can somebody explain to me why?
F is not correct because the special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded. So the first setting overrides the second.
Joined: Mar 29, 2006
Thanks Satou !!!
I've tried using forward() method to invoke the secured servlet. You're right about it.