File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authorisation related

 
Simran Dass
Ranch Hand
Posts: 183
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


"BY MISTAKE I posted this question in the forum - HTML and javascript".Please remove it from there but not from here "


Suppose the DD has two roles defined - Admin and User.
Suppose there are two <security-constraint> elements in th DD. Both constrain the same
resource. One of them DOES NOT have a <auth-constraint> element.

The web.xml
-------------------




<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>SS</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityQ</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>


<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>user</role-name></security-role>




When I requested /mini/yes in Tomcat 5.5 it did NOT ask for any authentication i.e.
it allows unauthenticated access to all the roles. There is a similar question in Katy Sierra Mock Exam (2nd Edition) - Q 30 . According to the Errata , only "user" role should be allowed access . WHY?


The Servlet Spec says ( which is not very clear ) :-

SRV 12.8.1
--------------
"A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access."



My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2171
57
Android Chrome Eclipse IDE
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Simran,

My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others


There are two possibilities:
  • <security-constraint> with NO <auth-constraint> combined with <security-constraint> with <auth-constraint></auth-constraint> means NOBODY has access
  • <security-constraint> with NO <auth-constraint> combined with any other <security-constraint> means EVERYBODY has access

  • Regards,
    Frits
     
    Abimaran Kugathasan
    Ranch Hand
    Posts: 2066
    Clojure IntelliJ IDE Linux
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    With your constraints, every one can access the resources. And further, can you post the K&B's book question?
     
    Simran Dass
    Ranch Hand
    Posts: 183
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Thankyou.

    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL " .
     
    Frits Walraven
    Creator of Enthuware JWS+ V6
    Saloon Keeper
    Pie
    Posts: 2171
    57
    Android Chrome Eclipse IDE
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL "

    Yes it does.

    Regards,
    Frits
     
    Simran Dass
    Ranch Hand
    Posts: 183
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Thaks a lot Frits
     
    I agree. Here's the link: http://aspose.com/file-tools
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic