File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Mock question about <auth-constraint> Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Mock question about <auth-constraint> " Watch "Mock question about <auth-constraint> " New topic
Author

Mock question about <auth-constraint>

Nidhi Sar
Ranch Hand

Joined: Oct 19, 2009
Posts: 252

This question is from Marcus Green's mock exam:

Which statements are true of the following snippet of a deployment descriptor.

<security-constraint>
<web-resource-collection>
<web-resource-name>Sensitive</web-resource-name>
<url-pattern>/SecuredServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
<role-name>manager</role-name>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Sensitive</web-resource-name>
<url-pattern>/SecuredServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

Choose one answer.
A. It is faulty becasue it has multiple security-constraint elements
B. It is faulty because it does not supply the http-method tag
C. Only members of the manager role will be able to access the resource
D. Any user will be able to access the resource
E. No users will be able to access the resource


I had answered E, but the correct answer given is D. The explanation is : "Although the first auth-constraint is empty, implying no one will have access to the resource, this is cancelled out by the second auth-constraint that will allow anyone to access the resource. "

Is this right?



"A problem well stated is a problem half solved.” - Charles F. Kettering
SCJP 6, OCPJWCD
Dieter Quickfend
Ranch Hand

Joined: Aug 06, 2010
Posts: 359
an empty auth-constraint has precedence. It appears there is a problem with that first auth-constraint, because the role-name is outside the auth-constraint element. I think the manager role should be within the first auth-constraint element, and then it would be true that any user would have access. It appears as an error in the code, and a faulty explanation.

EDIT:
Quoted from Head First Servlets & JSP pg 671:
An empty <auth-constraint> tag combines with anything else to allow access to nobody! In other words, an empty <auth-constraint> is always the final word!


Oracle Certified Professional: Java SE 6 Programmer
Oracle Certified Expert: Java EE 6 Web Component Developer
Oracle Certified Expert: Java EE 6 Enterprise JavaBeans Developer
Nidhi Sar
Ranch Hand

Joined: Oct 19, 2009
Posts: 252

Dieter Quickfend wrote:an empty auth-constraint has precedence. It appears there is a problem with that first auth-constraint, because the role-name is outside the auth-constraint element.

Thanks Dieter, that's what I thought too.

The only reason I thought that the "empty auth-constraint trumps all" rule might not apply here is, that the <web-resource-name> of both web-resource-collection elements is identical. Haven't seen that before, so I thought that might skew the results somehow.

Unlike servlet-name, are web-resource-name elements allowed to be duplicate?

Dieter Quickfend
Ranch Hand

Joined: Aug 06, 2010
Posts: 359
Ah, good find, hadn't realized that. I believe the web-resource-name wouldn't influence the behaviour of the auth-constraint. As far as I know, it is used only for recognition by GUI-tools.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Mock question about <auth-constraint>
 
Similar Threads
Marcus Green exam: Dueling auth-constraint elements
related to auth constraint
security-constraint issue?
Marcus Green Quiz 1 - Mock Exam Question Doubt
<security-constraint> doubt