This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Mock question -- on security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Mock question -- on security" Watch "Mock question -- on security" New topic
Author

Mock question -- on security

Tiffiny Yang
Ranch Hand

Joined: Mar 29, 2006
Posts: 124
Given the following incomplete extract from a deployment descriptor, what are possible ways of accessing the protected resource named TheCheckedServlet? (Choose three.)
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>bigwig</role-name>
</auth-constraint>
</security-constraint>
A.Via another URL pattern (if one is set up elsewhere within the deployment descriptor).
B.Any authenticated user can access the resource.
C.Any user (authenticated or not) can access the resource.
D.Via RequestDispatcher.include().
E.Via RequestDispatcher.forward().
F.Via the URL pattern /CheckedServlet, provided the user is authenticated and has bigwig as a valid role.

The answer is A D E.
Can somebody explain to me why?

Thanks in advance
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

A. If you've got another mapping pointing to TheCheckedServlet, but which is not declared in a security-constraint, you will be able to access it.
For example :


D. E. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.


[My Blog]
All roads lead to JavaRanch
Mirko Bonasorte
Ranch Hand

Joined: May 14, 2007
Posts: 244
Hi to everybody,
why not the F choice?


SCJP<br />SCWCD 1.4 Upgrade (Remember: me stupid)<br />SCWCD 1.4<br /><a href="http://jcp.org/aboutJava/communityprocess/final/jsr220/index.html" target="_blank" rel="nofollow">SCBCD 5.0</a><br /><a href="http://www.enthuware.com" target="_blank" rel="nofollow">SCBCD 5.0 mock exam</a> <br /> <br />SCEA 5 Part1: Preparing...
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

F is not correct because the special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded. So the first setting overrides the second.
Tiffiny Yang
Ranch Hand

Joined: Mar 29, 2006
Posts: 124
Thanks Satou !!!

I've tried using forward() method to invoke the secured servlet. You're right about it.

Thanks again.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Mock question -- on security