This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes  <security-constraint> in web.xml (http-method) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark " <security-constraint> in web.xml (http-method)" Watch " <security-constraint> in web.xml (http-method)" New topic
Author

<security-constraint> in web.xml (http-method)

Manish Shinde
Ranch Hand

Joined: Mar 30, 2011
Posts: 39
I have doubts in <http-method> under <security-constraint>.


<security-constraint>
<web-resource-collection>
<url-pattern>/TestConnectionServlet</url-pattern>
<http-method>get</http-method>
</web-resource-collection>
<auth-constraint>
<description>only member</description>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>

here if user role is member then that user can access GET method of /TestConnectionServlet but any other user with other role can access any method of TestConnectionServlet except GET method.

if above statement is correct then if i remove <http-method> then according to Head First
if there is no <http-method> in <web-resource-collection> , it would mean that NO HTTP methods are allowed by anyone in any role.
so assume that i removed <http_method> then i should not get access of TestConnectionServlet.
but still i m getting the access. WHY ?

I m using NETBEANS 6.5 and TOMCAT 6.0.14

What is meaning of all methods are constrained?

THANKS IN ADVANCE
MANISH

Suhas Mandrawadkar
Ranch Hand

Joined: Jul 21, 2007
Posts: 72

<security-constraint>
<web-resource-collection>
<url-pattern>/TestConnectionServlet</url-pattern>
<http-method>get</http-method>
</web-resource-collection>
<auth-constraint>
<description>only member</description>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>


This means when /TestConnectionServlet is accessed using GET http Method, allow only Member after user's authentication. Rest http methods are not constrained (No restrictions).

If you have <http-method>, only those methods which are explicitly mentioned are constrained. Remember the constraints are not set at resource levels, they are set for http methods only !
So when you remove the <http-method> totally, it means only allow member to access that resource for all methods.

Regards, Suhas S. Mandrawadkar.
Certifications: SCJP 6, SCWCD 5, Oracle WebLogic Server Administrator, OCE Java EE 6 EJB Developer
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: <security-constraint> in web.xml (http-method)
 
Similar Threads
Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint
Tomcat authentication and RACF
Tomcat with multiple auth-constraints
Mock question about <auth-constraint>
Adding users and roles