File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Authorisation related Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Authorisation related" Watch "Authorisation related" New topic
Author

Authorisation related

Simran Dass
Ranch Hand

Joined: Jan 09, 2010
Posts: 183


"BY MISTAKE I posted this question in the forum - HTML and javascript".Please remove it from there but not from here "


Suppose the DD has two roles defined - Admin and User.
Suppose there are two <security-constraint> elements in th DD. Both constrain the same
resource. One of them DOES NOT have a <auth-constraint> element.

The web.xml
-------------------




<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>SS</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityQ</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>


<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>user</role-name></security-role>




When I requested /mini/yes in Tomcat 5.5 it did NOT ask for any authentication i.e.
it allows unauthenticated access to all the roles. There is a similar question in Katy Sierra Mock Exam (2nd Edition) - Q 30 . According to the Errata , only "user" role should be allowed access . WHY?


The Servlet Spec says ( which is not very clear ) :-

SRV 12.8.1
--------------
"A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access."



My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1696
    
  25

Hi Simran,

My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others


There are two possibilities:
  • <security-constraint> with NO <auth-constraint> combined with <security-constraint> with <auth-constraint></auth-constraint> means NOBODY has access
  • <security-constraint> with NO <auth-constraint> combined with any other <security-constraint> means EVERYBODY has access

  • Regards,
    Frits
    Abimaran Kugathasan
    Ranch Hand

    Joined: Nov 04, 2009
    Posts: 2066

    With your constraints, every one can access the resources. And further, can you post the K&B's book question?


    |BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
    Simran Dass
    Ranch Hand

    Joined: Jan 09, 2010
    Posts: 183

    Thankyou.

    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL " .
    Frits Walraven
    Creator of Enthuware JWS+ V6
    Bartender

    Joined: Apr 07, 2010
    Posts: 1696
        
      25

    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL "

    Yes it does.

    Regards,
    Frits
    Simran Dass
    Ranch Hand

    Joined: Jan 09, 2010
    Posts: 183

    Thaks a lot Frits
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Authorisation related