This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Given the following incomplete extract from a deployment descriptor, what are possible ways of accessing the protected resource named TheCheckedServlet? (Choose three.) <security-constraint> <web-resource-collection> <web-resource-name>TheCheckedServlet</web-resource-name> <url-pattern>/CheckedServlet</url-pattern> </web-resource-collection> <auth-constraint /> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>TheCheckedServlet</web-resource-name> <url-pattern>/CheckedServlet</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>bigwig</role-name> </auth-constraint> </security-constraint> A.Via another URL pattern (if one is set up elsewhere within the deployment descriptor). B.Any authenticated user can access the resource. C.Any user (authenticated or not) can access the resource. D.Via RequestDispatcher.include(). E.Via RequestDispatcher.forward(). F.Via the URL pattern /CheckedServlet, provided the user is authenticated and has bigwig as a valid role.
The answer is A D E. Can somebody explain to me why?
F is not correct because the special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded. So the first setting overrides the second.
Joined: Mar 29, 2006
Thanks Satou !!!
I've tried using forward() method to invoke the secured servlet. You're right about it.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com