• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security roles

 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

This question is from HFSJ final mock exam.

Your web application has a valid deployment descriptor in which student and
sensei are the only security roles that have been defined. The deployment
descriptor contains two security constraints that declare the same resource to
be constrained. The first security constraint contains:
234. <auth-constraint>
235. <role-name>student</role-name>
236. </auth-constraint>
And the second security constraint contains:
251. <auth-constraint/>
Which are true? (Choose all that apply.)
A. As the deployment descriptor stands now, the constrained resource can
be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can
be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can
be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by student users.


The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan
 
Seeta Ramayya Vadali
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The given answer is right (i.e., option D). The default behavior if auth-constraint tag is not provided is every one can access the resource. So option D is correct.



Regards,
Seeta
 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Seeta,

Thanks for replying to my post.
The default behavior if auth-constraint tag is not provided is every one can access the resource.


This above statement is correct only if none of the role-name present inside auth-constraint tag.
but Optin D states if only the second security constraint tag is removed we still have first security role. hence I suspect option D is not correct.

When two different non-empty <auth-constraint> elements apply to the same constrained resource,
access is granted to the union of all roles from both of the <auth-constraint> elements


Thanks
Shobhan
 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shobhan Ganta wrote:The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan


Hi Shobhan,

You are absolutely right.

Check out the Errata webpage for the book.
This is what the authors have to say:
"Remove the checkmark from Option D and put it on Option F."
 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Nidhi for confirming.
 
Isha Garg
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So Does that mean there is error on page 671 of new book having following text:

Dueling <auth-constraint> elements:
A and B refer to two <security-constraint> elements partially of fully overlapping <web-resource-collection>


Contents of A: No <auth-constraint> element
Content of B: <auth-constraint>Admin</auth-constraint>

In above case, book says Everybody has access to 'UpdateRecipes'

If there is errata in above mock question then Is this also wrong in the book?
Or there is something wrong in my understanding??
 
Jan Skowronski
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No Isha, the book is right:

lack of <auth-constraint> means ALLOW ANYBODY to access given resource (+http method of course).
<auth-constraint> with one (or more) roles means ONLY those specified can access given resource.

So if any of the constraints EXPLICITLY grant you access (first tag) you have that access, UNLESS there's an EMPTY <auth-constraint> that is always winning forbidding access, no matter how many other constraints would give you access

Remember: empty <auth-constraint> is the opposite of LACK of it!

Hope it's clear
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic