This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Doubt on Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Doubt on Security" Watch "Doubt on Security" New topic
Author

Doubt on Security

Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi,
Given that a Deployment Descriptor has only one security role, defined as:
1. <security-role>
2. <role-name>Member</role-name>
3. </security-role>

Which are valid <auth-constraint> elements that will allow users to access resources constrained by the security role declared?

The answers are
1. <auth-constraint>*</auth-constraint>
2. <auth-constraint><Member</auth-constraint>

Now, I am clear with the second answer. I am not clear with the first answer. How can *(which refers to all) be given access? Can anybody help me?
With regards,
Padma priya N.G.


Padma priya N.G.
Be the change you want to be - Mahatma Gandhi
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

When <auth-constraint>*</auth-constraint> , the container does not check the <security-role>. The access is given to every one. This is default, as good as , no security mechanism is applied to application. Even the login screen (Form and basic authentication) will not appear for this constraint.

Thanks


Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Narendra,
As per the question, security is given only to member and not to all. My question and how the answer has appeared is totally different. Security is given to member and to all. Can you explain why everyone was chosen when member alone should have been chosen?
Thanks,
Padma priya N.G.
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

You define the resource using the <web-resource-collection> and the secure the resource using <auth-constraint> to tell the container only the these role has access to this area. If there is * in <role-name> under <auth-constraint> then all users are permitted including Member. If you want to give access to only Member, then the * is not valid.

The <auth-constraint> element have <role-name> sub tag, therefore the entries defined in your example are invalid.

Thanks
[ August 28, 2007: Message edited by: Narendra Dhande ]
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Narendra,
Do you mean to say that the answers are invalid?
Thanks,
Padma priya N.G.
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

The Full sample security-constraint entry is



So, at least syntax level It is invalid.

Thanks
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Narendra,
Do you mean to say that admin is the only person who has the security permission and not all. Am I right?
Thanks,
Padma priya N.G.
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi

The only admin can access the POST and GET request for the given URL in this example. But for other Methods everyone can access the resource.

Thanks
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Narendra,
Do you mean to say that (1)admin has access to the GET and the POST methods and (2) others have access to all the methods.
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi,
Since everyone have access to all the methods in the application, member and *(indicating everyone) have access to the application. Am I right?
Thanks,
Padma priya N.G.
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

Yes, it is like that.

Thanks
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi Narendra,
Thanks for clearing the doubt.
Padma priya N.G.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Doubt on Security
 
Similar Threads
authorization question (role names)
security-role
auth constraint
Security Authorization Doubt
Doubts: Mock by HFSJ 1st Edt