File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Mock question -- on security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Mock question -- on security" Watch "Mock question -- on security" New topic
Author

Mock question -- on security

Tiffiny Yang
Ranch Hand

Joined: Mar 29, 2006
Posts: 124
Given the following incomplete extract from a deployment descriptor, what are possible ways of accessing the protected resource named TheCheckedServlet? (Choose three.)
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>bigwig</role-name>
</auth-constraint>
</security-constraint>
A.Via another URL pattern (if one is set up elsewhere within the deployment descriptor).
B.Any authenticated user can access the resource.
C.Any user (authenticated or not) can access the resource.
D.Via RequestDispatcher.include().
E.Via RequestDispatcher.forward().
F.Via the URL pattern /CheckedServlet, provided the user is authenticated and has bigwig as a valid role.

The answer is A D E.
Can somebody explain to me why?

Thanks in advance
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

A. If you've got another mapping pointing to TheCheckedServlet, but which is not declared in a security-constraint, you will be able to access it.
For example :


D. E. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.


[My Blog]
All roads lead to JavaRanch
Mirko Bonasorte
Ranch Hand

Joined: May 14, 2007
Posts: 244
Hi to everybody,
why not the F choice?


SCJP<br />SCWCD 1.4 Upgrade (Remember: me stupid)<br />SCWCD 1.4<br /><a href="http://jcp.org/aboutJava/communityprocess/final/jsr220/index.html" target="_blank" rel="nofollow">SCBCD 5.0</a><br /><a href="http://www.enthuware.com" target="_blank" rel="nofollow">SCBCD 5.0 mock exam</a> <br /> <br />SCEA 5 Part1: Preparing...
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

F is not correct because the special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded. So the first setting overrides the second.
Tiffiny Yang
Ranch Hand

Joined: Mar 29, 2006
Posts: 124
Thanks Satou !!!

I've tried using forward() method to invoke the secured servlet. You're right about it.

Thanks again.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Mock question -- on security