*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Mock Exam doubt: Very interesting (tricky) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Mock Exam doubt: Very interesting (tricky)" Watch "Mock Exam doubt: Very interesting (tricky)" New topic
Author

Mock Exam doubt: Very interesting (tricky)

gopal venu
Ranch Hand

Joined: Jan 06, 2006
Posts: 55
Which two statements are true about using the isUserInRole() method to implement Security in Java EE application ?
(Choose two)
1. It can be invoked only from doGet()
2. It can be used independently of getRemoteUser()
3. Can return true even when its argument is not defined as valid role name in DD.
4. Using isUserInRole() method overrides any declarative authentication related to the method in which it is invoked
5.Using isUserInRole() method overrides any declarative authorization related to the method in which it is invoked

Answer given: 2,3
I think its 2,5

Source: Enthuware JwebPlus 1.4
Dee Brown
Ranch Hand

Joined: Jun 14, 2008
Posts: 94
I believe 3 is correct. Remember that <security-role-ref> maps a hardcoded role (e.g. request.isUserInRole("BigWig")) name to declarative <security-role> elements in DD. So even though "BigWig" is not a valid role name, with the following in place in the DD, the above method returns true.

<security-role><role-name>Admin</role-name></security-role>

<security-role-ref>
<role-name>BigWig</role-name>
<role-link>Admin</role-link>
<security-role-ref>
Jan Sterk
Ranch Hand

Joined: Jun 06, 2008
Posts: 139
Originally posted by Dee Brown:
I believe 3 is correct. Remember that <security-role-ref> maps a hardcoded role (e.g. request.isUserInRole("BigWig")) name to declarative <security-role> elements in DD. So even though "BigWig" is not a valid role name, with the following in place in the DD, the above method returns true.

<security-role><role-name>Admin</role-name></security-role>

<security-role-ref>
<role-name>BigWig</role-name>
<role-link>Admin</role-link>
<security-role-ref>


Yes, that's probably what they mean. However, you can argue that the reference to BigWig in the DD, defines BigWig as valid role-name. It even has a <role-name> tag for it.


SCJP 1.4 (81%)<br />SCWCD 5 (95%)
Jan Sterk
Ranch Hand

Joined: Jun 06, 2008
Posts: 139
Originally posted by gopal venu:
...
5.Using isUserInRole() method overrides any declarative authorization related to the method in which it is invoked

Answer given: 2,3
I think its 2,5

Source: Enthuware JwebPlus 1.4


5 is wrong because the method itself doesn't do any authorization - it just returns a boolean.
Pham Hoai Van
Greenhorn

Joined: May 20, 2008
Posts: 15
I agree with Jan.
Declarative authorization is always checked first by the container before forwarding to servlet. 5 must be wrong!
Dee Brown
Ranch Hand

Joined: Jun 14, 2008
Posts: 94
"Yes, that's probably what they mean. However, you can argue that the reference to BigWig in the DD, defines BigWig as valid role-name. It even has a <role-name> tag for it."

The role-name argument is not valid. According to the spec:

- "[<security-role>] is used to define roles that could be tested (i.e., by calling isUserInRole)...".

- "The security-role element contains the <b>definition of a security
role</b>."

- "The security-role-ref element contains the <b>declaration of a security
role reference</b> in the web application´┐Żs code. The declaration
consists of an optional description, the security role name used in the code, and an optional link to a security role."
Jan Sterk
Ranch Hand

Joined: Jun 06, 2008
Posts: 139
Uh, OK, you're right Dee, well found. I stand corrected.
[ June 17, 2008: Message edited by: Jan Sterk ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Mock Exam doubt: Very interesting (tricky)