Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

authorization doubt

 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Source: Marcus
Given the following deployment descriptor, which of the following statements are true?



A. requesting /index.jsp in the browser bar will cause the user to be prompted for a username and password
B. requesting /index.jsp in the browser bar will NOT cause the user to be prompted for a username and password
C. Only members of the tomcat role will be prompted for a username and password for the index.jsp resource
D. Only POST requests will be authenticated, all other requests will be refused

Answer: B

But i think shall be A. Right? If the client requests the index.jsp by POST then browser will ask for authentication right?
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2264
76
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please use the code tags: that makes it easier to read.

I think that A is correct, although I am missing the <security-role> element which lists all the security roles in the application.

Regards,
Frits
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if anyone sends GET request for index.jsp then it must not be required to be authenticated or authorised and if a POST goes then it must be authenticated and after that authorised to be tomcat.

right?

What will be use of security-role element?
 
Ankit Garg
Sheriff
Posts: 9509
22
Android Google Web Toolkit Hibernate IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A is not right. When you enter a URL in the browser's address bar, a GET request will be issued. GET request will not be authenticated so the user won't be prompted for username/password...
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2264
76
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A is not right. When you enter a URL in the browser's address bar, a GET request will be issued.

Yes you are right of course, I was sleeping here

The <security-role> element lists all the security roles that can be used in the DD. So using a role-name in a <security-constraint> is only possible if you have listed it before in the <security-role> element

Regards,
Frits
 
Abimaran Kugathasan
Ranch Hand
Posts: 2066
Clojure IntelliJ IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What about C? Cold you please explain?
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok ..
So that means
requesting /index.jsp in the browser bar
was the key line here saying that only a GET request is going which ofcourse means it is not required to be authenticated.

What about C? Cold you please explain?


See GET request is not even authenticated so no matter what role a person is in or even if he is not logged in/registered.
He will not be asked for a username or password.

thanks
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic