Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Mock Exam doubt: Very interesting (tricky)

 
gopal venu
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which two statements are true about using the isUserInRole() method to implement Security in Java EE application ?
(Choose two)
1. It can be invoked only from doGet()
2. It can be used independently of getRemoteUser()
3. Can return true even when its argument is not defined as valid role name in DD.
4. Using isUserInRole() method overrides any declarative authentication related to the method in which it is invoked
5.Using isUserInRole() method overrides any declarative authorization related to the method in which it is invoked

Answer given: 2,3
I think its 2,5

Source: Enthuware JwebPlus 1.4
 
Dee Brown
Ranch Hand
Posts: 94
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe 3 is correct. Remember that <security-role-ref> maps a hardcoded role (e.g. request.isUserInRole("BigWig")) name to declarative <security-role> elements in DD. So even though "BigWig" is not a valid role name, with the following in place in the DD, the above method returns true.

<security-role><role-name>Admin</role-name></security-role>

<security-role-ref>
<role-name>BigWig</role-name>
<role-link>Admin</role-link>
<security-role-ref>
 
Jan Sterk
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Dee Brown:
I believe 3 is correct. Remember that <security-role-ref> maps a hardcoded role (e.g. request.isUserInRole("BigWig")) name to declarative <security-role> elements in DD. So even though "BigWig" is not a valid role name, with the following in place in the DD, the above method returns true.

<security-role><role-name>Admin</role-name></security-role>

<security-role-ref>
<role-name>BigWig</role-name>
<role-link>Admin</role-link>
<security-role-ref>


Yes, that's probably what they mean. However, you can argue that the reference to BigWig in the DD, defines BigWig as valid role-name. It even has a <role-name> tag for it.
 
Jan Sterk
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by gopal venu:
...
5.Using isUserInRole() method overrides any declarative authorization related to the method in which it is invoked

Answer given: 2,3
I think its 2,5

Source: Enthuware JwebPlus 1.4


5 is wrong because the method itself doesn't do any authorization - it just returns a boolean.
 
Pham Hoai Van
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree with Jan.
Declarative authorization is always checked first by the container before forwarding to servlet. 5 must be wrong!
 
Dee Brown
Ranch Hand
Posts: 94
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Yes, that's probably what they mean. However, you can argue that the reference to BigWig in the DD, defines BigWig as valid role-name. It even has a <role-name> tag for it."

The role-name argument is not valid. According to the spec:

- "[<security-role>] is used to define roles that could be tested (i.e., by calling isUserInRole)...".

- "The security-role element contains the <b>definition of a security
role</b>."

- "The security-role-ref element contains the <b>declaration of a security
role reference</b> in the web application´┐Żs code. The declaration
consists of an optional description, the security role name used in the code, and an optional link to a security role."
 
Jan Sterk
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Uh, OK, you're right Dee, well found. I stand corrected.
[ June 17, 2008: Message edited by: Jan Sterk ]
 
Don't get me started about those stupid light bulbs.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic