File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes auth-constraint confusion Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "auth-constraint confusion" Watch "auth-constraint confusion" New topic

auth-constraint confusion

carina caoor
Ranch Hand

Joined: Jun 23, 2007
Posts: 300

Hi Ranchers,
I have a doubt in <security-constraint> element of web.xml which includes <auth-constraint> .It is said that if <auth-constraint></auth-constraint> and <auth-constarint><role-name>user</role-name></auth-constraint> are defined for one particular component then no one get access to that component.But i want to know whats the result of defining <auth-constraint><auth-constarint> and <auth-constraint>*</auth-constarint> for a particular component,which one have the high priority,wether everyone gets the access or no one will get the access?

Knowledge Spreads Everywhere!
Jan van Mansum
Ranch Hand

Joined: Oct 19, 2007
Posts: 74
First, note that <auth-constraint> needs a sub-element <role-name> if it is not empty (e.g., <auth-constraint>*</auth-constraint> is not valid in the dd). Typical trip-up question for the exam!

Also, it is important to realize that a security-constraint protects a url-pattern, not a component. I know this, because it was a gotcha on one of the practice exams in Bridgewater's book, that fooled me.

Try the following example:
  • Create a web-app with only an index.jsp page (for instance with NetBeans)
  • Overwrite the contents of web.xml with the version below. I am assuming that you have a user ide with role admin and password admin (standard in NetBeans); if you don't have them, create them (in Tomcat: edit tomcat-users.xml).
  • Deploy and run the web-app.
  • You'll get a 403 error
  • Now enter a path of /Backdoor (with the context-path in front, of course, e.g., http://localhost:8084/SecurityTest/Backdoor)

  • If everything goes well, you'll get a pop-up that requests a user name and password (BASIC authentication). Any user that has a role declared in web.xml will do (if he enters the correct password for his account).

    This demonstrates that: 1) The security-constraint protects a url-pattern (because both All-denied and All-access-for-backdoor security constraints essentially protect the same jsp), 2) that auth-constraint for role-name=* means that all declared roles have access and 3) auth-constraint without body has precedence over one with body.

    SCJP 1.4, SCWCD 1.4
    Remko Strating
    Ranch Hand

    Joined: Dec 28, 2006
    Posts: 893
    An empty <auth-constraint> tag combines with anything and has always the final word. This means no-one has access.

    If you're using HFSJ it's on page 639

    Remko (My website)
    SCJP 1.5, SCWCD 1.4, SCDJWS 1.4, SCBCD 1.5, ITIL(Manager), Prince2(Practitioner), Reading/ gaining experience for SCEA,
    I agree. Here's the link:
    subject: auth-constraint confusion
    It's not a secret anymore!