aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes mock question on security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "mock question on security" Watch "mock question on security" New topic
Author

mock question on security

Malika Ben Aziz
Greenhorn

Joined: Oct 26, 2009
Posts: 23
Hi, I can't understand the response of this mock test from Ethunware(V4 -Standard Test 2 - Question 31 )


Consider the web.xml snippet shown in the exhibit.



Now consider the code for a jsp file named unprotected.jsp:




Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?

Select 1 correct option.
A.The user will be prompted to enter user name and password
B.An exception will be thrown
C.protected.jsp will be executed but it's output will not be included in the response
D.The call to include will be ignored
E.None of these

ANS : E

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1520
    
  22

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.

The important rule to follow here is that security only applies to requests coming from the client (browser). It doesn't apply to requests that are forwarded or included.

Regards,
Frits
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

Thanks Frits! I thought so, but are there any way to give security to the server side request? I think, there is no need of doing it?


|BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1520
    
  22

I thought so, but are there any way to give security to the server side request? I think, there is no need of doing it?

Not in the Servlet 2.4 specs, but you can always add programmatic security if you want to add extra functionality.

Regards,
Frits

Malika Ben Aziz
Greenhorn

Joined: Oct 26, 2009
Posts: 23
Frits Walraven wrote:
I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.

The important rule to follow here is that security only applies to requests coming from the client (browser). It doesn't apply to requests that are forwarded or included.

Regards,
Frits

I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.

Could you please more explain why E is the correct answer?
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

I think, there is no need of declarative security for server side request. We can do it by programmatic security. Please confirm this!
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9280
    
  17

jsp:include is a static include, it happens only once not with every request. So there is no point in securing it using user roles.

Malika what Frits is trying to say here is the security constraint will apply if the user directly tries to access /jsp/protected.jsp. In the question the user is accessing unprotected.jsp and unprotected.jsp will include /jsp/protected.jsp. So the server side include will not be authorized...


SCJP 6 | SCWCD 5 | Javaranch SCJP FAQ | SCWCD Links
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

Ankit Garg wrote:So the server side include will not be authorized...


Ankit, I couldn't understand this! You mean, there is no restrictions for server side requests? Please elaborate it.

Thanks!
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1520
    
  22

Malika,

I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.

It seems Ankit and my response didn't solve your question. Let me try to explain it in another way.

There is a security constraint defined on /jsp/protected.jsp, so if we try to access it like (assume MyWebApp is the context root of your webapp): http://localhost:8080/MyWebApp/jsp/protected.jsp the server will check the last part of the URL /jsp/protected.jsp against all the security constraints defined in the web.xml. It will find a constraint and only allow managers to access it.

There is no security constraint defined on /jsp/unprotected.jsp, so if we access it like http://localhost:8080/MyWebApp/jsp/unprotected.jsp the server will check /jsp/unprotected.jsp against all the security constraints defined in the web.xml and won't find any. Hence it will allow the request to be delivered at the jsp.
The server will not check any content of the jsp or Servlet, meaning that if that jsp includes or forwards to another jsp (or the Servlet does a forward to or include of another Servlet) it won't be taken into account.

See also the spec:
SRV.12.2 Declarative Security
The security model applies to the static content part of the web application
and to servlets and filters within the application that are requested by the client.
The security model does not apply when a servlet uses the RequestDispatcher to
invoke a static resource or servlet using a forward or an include.


Does this make things clearer?

Regards,
Frits
Adrian Lopez
Greenhorn

Joined: Jun 26, 2013
Posts: 1
This is a typo in the specifications of this question...


The question shuould be:


Now Consider the coide for jsp file named unprotected.jsp


Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1520
    
  22

be careful there are two ways to include a file in a jsp:

Static include (happens once)
and a dynamic include (happens for every request)


Regards,
Frits
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: mock question on security
 
Similar Threads
A mock question about security
Mock exam questions...
Doubt in Security Question !
web.xml security constraint won't work with roles
Help! jsp:include to include a constrainted source