Hi Ranchers, I have a doubt in <security-constraint> element of web.xml which includes <auth-constraint> .It is said that if <auth-constraint></auth-constraint> and <auth-constarint><role-name>user</role-name></auth-constraint> are defined for one particular component then no one get access to that component.But i want to know whats the result of defining <auth-constraint><auth-constarint> and <auth-constraint>*</auth-constarint> for a particular component,which one have the high priority,wether everyone gets the access or no one will get the access?
First, note that <auth-constraint> needs a sub-element <role-name> if it is not empty (e.g., <auth-constraint>*</auth-constraint> is not valid in the dd). Typical trip-up question for the exam!
Also, it is important to realize that a security-constraint protects a url-pattern, not a component. I know this, because it was a gotcha on one of the practice exams in Bridgewater's book, that fooled me.
Try the following example:
Create a web-app with only an index.jsp page (for instance with NetBeans)
Overwrite the contents of web.xml with the version below. I am assuming that you have a user ide with role admin and password admin (standard in NetBeans); if you don't have them, create them (in Tomcat: edit tomcat-users.xml).
If everything goes well, you'll get a pop-up that requests a user name and password (BASIC authentication). Any user that has a role declared in web.xml will do (if he enters the correct password for his account).
This demonstrates that: 1) The security-constraint protects a url-pattern (because both All-denied and All-access-for-backdoor security constraints essentially protect the same jsp), 2) that auth-constraint for role-name=* means that all declared roles have access and 3) auth-constraint without body has precedence over one with body.