Thanks to Marcus Green for very nice mock exam. In one question I have the following doubt.
Q: Which statemetns are true of the following snippet of a deployment descriptor.
A. It is faulty becasue it has multiple security-constraint elements
B. It is faulty because it does not supply the http-method tag
C. Only members of the manager role will be able to access the resource
D. Any user will be able to access the resource
E. No users will be able to access the resource
I choose option E as correct answer since empty auth constraint is the final as per HFSJ. However the correct answer is D.
The explanation is "Although the first auth-constraint is empty, implying no one will have access to the resource, this is cancelled out by the second auth-constraint that will allow anyone to access the resource. "
Is my understanding wrong? Please correct me.
Sai Surya, SCJP 5.0, SCWCD 5.0, IBM 833 834
http://sai-surya-talk.blogspot.com, I believe in Murphy's law.
"The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded." This means that nobody will have access.