Two Laptop Bag
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Mock question -- on security Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of Arduino in Action this week in the General Computing forum!

A special promo: Enter your blog post or vote on a blogger to be featured in an upcoming Journal
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Reply Bookmark "Mock question -- on security" Watch "Mock question -- on security" New topic
Author

Mock question -- on security

Tiffiny Yang
Ranch Hand

Joined: Mar 29, 2006
Posts: 124
posted private message
0
Quote
Given the following incomplete extract from a deployment descriptor, what are possible ways of accessing the protected resource named TheCheckedServlet? (Choose three.)
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>bigwig</role-name>
</auth-constraint>
</security-constraint>
A.Via another URL pattern (if one is set up elsewhere within the deployment descriptor).
B.Any authenticated user can access the resource.
C.Any user (authenticated or not) can access the resource.
D.Via RequestDispatcher.include().
E.Via RequestDispatcher.forward().
F.Via the URL pattern /CheckedServlet, provided the user is authenticated and has bigwig as a valid role.

The answer is A D E.
Can somebody explain to me why?

Thanks in advance
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14685
    
  16

I like...
Eclipse IDE Ubuntu VI Editor
posted private message
0
Quote
A. If you've got another mapping pointing to TheCheckedServlet, but which is not declared in a security-constraint, you will be able to access it.
For example :


D. E. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.

[My Blog]
All roads lead to JavaRanch
Mirko Bonasorte
Ranch Hand

Joined: May 14, 2007
Posts: 244
posted private message
0
Quote
Hi to everybody,
why not the F choice?

SCJP<br />SCWCD 1.4 Upgrade (Remember: me stupid)<br />SCWCD 1.4<br /><a href="http://jcp.org/aboutJava/communityprocess/final/jsr220/index.html" target="_blank" rel="nofollow">SCBCD 5.0</a><br /><a href="http://www.enthuware.com" target="_blank" rel="nofollow">SCBCD 5.0 mock exam</a> <br /> <br />SCEA 5 Part1: Preparing...
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14685
    
  16

I like...
Eclipse IDE Ubuntu VI Editor
posted private message
0
Quote
F is not correct because the special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded. So the first setting overrides the second.
Tiffiny Yang
Ranch Hand

Joined: Mar 29, 2006
Posts: 124
posted private message
0
Quote
Thanks Satou !!!

I've tried using forward() method to invoke the secured servlet. You're right about it.

Thanks again.
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: Mock question -- on security
 
Similar Threads
Tomcat authentication and RACF
Issue with -Xauthfile execution in wsimport tool(JAX-RI)
Marcus Green Quiz 1 - Mock Exam Question Doubt
Webapp Security
related to auth constraint