This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes security roles Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "security roles" Watch "security roles" New topic
Author

security roles

Shobhan Ganta
Ranch Hand

Joined: Nov 11, 2010
Posts: 37
Hi,

This question is from HFSJ final mock exam.

Your web application has a valid deployment descriptor in which student and
sensei are the only security roles that have been defined. The deployment
descriptor contains two security constraints that declare the same resource to
be constrained. The first security constraint contains:
234. <auth-constraint>
235. <role-name>student</role-name>
236. </auth-constraint>
And the second security constraint contains:
251. <auth-constraint/>
Which are true? (Choose all that apply.)
A. As the deployment descriptor stands now, the constrained resource can
be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can
be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can
be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by student users.


The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan
Seeta Ramayya Vadali
Greenhorn

Joined: Dec 14, 2010
Posts: 1
The given answer is right (i.e., option D). The default behavior if auth-constraint tag is not provided is every one can access the resource. So option D is correct.



Regards,
Seeta
Shobhan Ganta
Ranch Hand

Joined: Nov 11, 2010
Posts: 37
Hi Seeta,

Thanks for replying to my post.
The default behavior if auth-constraint tag is not provided is every one can access the resource.


This above statement is correct only if none of the role-name present inside auth-constraint tag.
but Optin D states if only the second security constraint tag is removed we still have first security role. hence I suspect option D is not correct.

When two different non-empty <auth-constraint> elements apply to the same constrained resource,
access is granted to the union of all roles from both of the <auth-constraint> elements


Thanks
Shobhan
Nidhi Sar
Ranch Hand

Joined: Oct 19, 2009
Posts: 252

Shobhan Ganta wrote:The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan


Hi Shobhan,

You are absolutely right.

Check out the Errata webpage for the book.
This is what the authors have to say:
"Remove the checkmark from Option D and put it on Option F."

"A problem well stated is a problem half solved.” - Charles F. Kettering
SCJP 6, OCPJWCD
Shobhan Ganta
Ranch Hand

Joined: Nov 11, 2010
Posts: 37
Thanks Nidhi for confirming.
Isha Garg
Greenhorn

Joined: Mar 12, 2010
Posts: 29
So Does that mean there is error on page 671 of new book having following text:

Dueling <auth-constraint> elements:
A and B refer to two <security-constraint> elements partially of fully overlapping <web-resource-collection>


Contents of A: No <auth-constraint> element
Content of B: <auth-constraint>Admin</auth-constraint>

In above case, book says Everybody has access to 'UpdateRecipes'

If there is errata in above mock question then Is this also wrong in the book?
Or there is something wrong in my understanding??
Jan Skowronski
Greenhorn

Joined: Dec 21, 2007
Posts: 4
No Isha, the book is right:

lack of <auth-constraint> means ALLOW ANYBODY to access given resource (+http method of course).
<auth-constraint> with one (or more) roles means ONLY those specified can access given resource.

So if any of the constraints EXPLICITLY grant you access (first tag) you have that access, UNLESS there's an EMPTY <auth-constraint> that is always winning forbidding access, no matter how many other constraints would give you access

Remember: empty <auth-constraint> is the opposite of LACK of it!

Hope it's clear
 
 
subject: security roles
 
Similar Threads
confusion in <auth-constrain>
HFSJ Question No 30
Confused about HFSJ 2nd Ed Final Mock Exam Q30
Question 30 - Final mock exam HFSJ
HFSJ final mock exam question