File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint " Watch "Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint " New topic
Author

Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint

Manjula Weerasinghe
Greenhorn

Joined: Mar 15, 2010
Posts: 25

Hi Friends,
In page 669 of Head First Jsp & Servlet book, It says

and

both has the same effect.

But when I tested using above two configurations
*). For the first security constraint configuration, browser asks for a user name and password and let a user with any role to access the page after authentication.
*). But for the second security constraint configuration, browser does not ask any authentication details and allow any user (users with any role + anonymous users) to access to the resource.
I am using tomcat 7 and I would like to know whether this is a vendor specific behavior or this is the accurate behavior defined in the specs. I think what is mentioned in the book is incorrect.
Tomcat Access Log:


web.xml:


Thanks & Regards,
Manjula

OCPJP 6, OCE JEE 6 JSP and Servlet Developer
Mike Zal
Ranch Hand

Joined: May 04, 2011
Posts: 144

What you posted in your web.xml is different from what you stated in the original problem. In your problem statement you say you are using an empty tag, but in your web.xml you are using the not included tag.

Remember that there is a difference between an empty tag and no tag.

Link to another thread about this topic


OCJP6, OCWCD5
Manjula Weerasinghe
Greenhorn

Joined: Mar 15, 2010
Posts: 25

Hi Mike,
What I have mentioned in the start of my post is the way that it is in the book. But in there I have not included an empty tag for auth-constraint. In that code block, I have put a comment inside <security-constraint> tag saying without auth-constraint element. I have put the code same way as it shown in the book, that is without <web-resource-collection> tag inside <security-constraint> tag, although <web-resource-collection> tag should be there.
And I have put some comments in the places where the <auth-constraint> tag should be if it is using. I can not see any conflict between what I have said in the problem and my web.xml. I have not used any empty <auth-constraint> tags in any of code blocks. If you still thinking there is a such problem exists, Can you please clarify little bit more?
Thanks & Regards,
Manjula
Ashok Kurakula
Greenhorn

Joined: May 16, 2011
Posts: 15

Hi Manjula,

If no <auth-constraint> element is present, then unauthenticated access will be allowed to the urls specifed in that <security-constraint> element.

And if <auth-constraint> element is present, then only authentication will be prompted and access will be given to the roles specified within the <auth_constraint> element.

So "no <auth_constraint>" element and "<auth-constraint><role-name>*</role-name></auth_constraint>" aren't quite same.

I agree that the statement in HFSJ is quite misleading.


OCPJP 6, OCE Java EE 6 JSP and Servlets Developer, OCE Java EE 6 EJB Developer...
Manjula Weerasinghe
Greenhorn

Joined: Mar 15, 2010
Posts: 25

Hi Ashok,

Thanks for the response.
That is what I assumed about this issue in the first place. For the first case, Authors have correctly pointed out "If an <auth-constraint> does not exists, Container MUST allow unauthenticated access for the relevant URLs" in page 668. But after that what they have said in examples and exercises related to this topic is misleading, it seems they have used the term "Everybody" for two meanings without noticing it.

Thanks & Regards,
Manjula
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint