GeeCON Prague 2014*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Doubt in Security Question ! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Doubt in Security Question !" Watch "Doubt in Security Question !" New topic
Author

Doubt in Security Question !

Jagjit Dhaliwal
Greenhorn

Joined: Aug 19, 2007
Posts: 20
Please help me in following question as they gave answer as E.

Consider the web.xml snippet shown in the exhibit.
Now consider the code for a jsp file named unprotected.jsp:

<html>

<body>

<jsp:include page="/jsp/protected.jsp" />

</body>

</html>
Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?

<web-app>

...

<security-constraint>

<web-resource-collection>

<web-resource-name>test</web-resource-name>

<url-pattern>/jsp/protected.jsp</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>manager</role-name>

</auth-constraint>

</security-constraint>

...

</web-app>
Select 1 correct option.
A.The user will be prompted to enter user name and password
B.An exception will be thrown
C.protected.jsp will be executed but it's output will not be included in the response
D.The call to include will be ignored
E.None of these


Jagjit Dhaliwal<br />SCJP 1.4(90%),SCWCD 1.4(86%)
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

I didn't say that in your other thread, but please quote your sources.


[My Blog]
All roads lead to JavaRanch
Jagjit Dhaliwal
Greenhorn

Joined: Aug 19, 2007
Posts: 20
Hi Christophe,

I appologize. I got these questions from Javabeat.com mock exams.

Thanks for your reply,

Jagjit
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

Thank you. I also think that the answer is E.
Jagjit Dhaliwal
Greenhorn

Joined: Aug 19, 2007
Posts: 20
Hi,

Thanks for reply. Could you please explain this answer.
Amar Nath Verma
Greenhorn

Joined: Dec 05, 2007
Posts: 23
DD doesn't specify any <http-method>, that means all methods are constrained, only manager can access this jsp (using all methods i.e. get,post,post,head etc)

So this page shall be restricted for users other then manager. And unauthorized users shall be prompted for login. (option 1)


thanks<br/>Amar Nath Verma<br/><a href="http://www.amarnathverma.com" target="_blank" rel="nofollow">http://www.amarnathverma.com</a><br/>SCJP 1.4, SCWCD 5, Preparing for SCEA
Jagjit Dhaliwal
Greenhorn

Joined: Aug 19, 2007
Posts: 20
even this is what i thought of .. but answer is E , so here am I ..

Christophe, could you please explain it.

Regards,

Jagjit
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

SRV.12.2 Declarative Security
The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.
Amar Nath Verma
Greenhorn

Joined: Dec 05, 2007
Posts: 23
Thanks Christophe, got it
Fu Dong Jia
Ranch Hand

Joined: May 23, 2007
Posts: 131
hi,Christophe

The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.

additional, what about the servlet uses a sendRedirect?
I think it should be apply to security constraint.
Am i correct?


who dare win!<br />SCJP5(94%)|SCWCD5(86%)|SCBCD(100%)|SCEA in progress
Aditya Singh
Ranch Hand

Joined: Mar 06, 2008
Posts: 62
I think whatever triggered from server side like from RD include/ forward does not require authentication, since sendRedirect triggered from browser it must be authenticated. Pls correct me if I m wrong.
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

additional, what about the servlet uses a sendRedirect? I think it should be apply to security constraint.

Yes, that's right.
 
GeeCON Prague 2014
 
subject: Doubt in Security Question !