Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question 30 - Final mock exam HFSJ

 
Paul Statham
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The question is


Your web application has a valid DD in which student and sensei are the only security roles that have been defined. The DD contains two security constraints that declare the same resource to be constrained. The first security constraint contains:




And the second security constraint contains




Which are true? (Choose all that apply.)

A. As the DD stands now, the constrained resource can be accessed by both roles.
B. As the DD stands now, the constrained resource can be accessed only be sensei users.
C. As the DD stands now, the constrained resource can be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by student users.


The answer given is D.

I think the answer should be E, as removing the second auth-constraint means all users are no longer restricted, but students are still restricted to the resource, therefore only sensei users can access it. Please tell me if I'm correct?
 
Piyush Joshi
Ranch Hand
Posts: 207
Eclipse IDE Firefox Browser jQuery
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Again here also you are confusing the meaning of <auth-constraint> tag. See This.
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
does NOT mean that the given request on the given resource is restricted for student role. It means that the given request on the given resource is restricted for roles OTHER THAN student.
 
Paul Statham
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Piyush, I had it mixed up obviously.
 
Ankur Gargg
Ranch Hand
Posts: 55
Java jQuery Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As per me the answer should be F.
Correct me if I am wrong..
 
Piyush Joshi
Ranch Hand
Posts: 207
Eclipse IDE Firefox Browser jQuery
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No its wrong..
Remember that if there is no auth-constraint tag then every role is allowed.

First auth-constraint says students are allowed
If second auth-constraint tag is removed then it will mean that every role is allowed.
Therefore the combined effect of these two will be that every role will be allowed.

Things to remember:
Role1 + Role2 = Role1 and Role2
Role1 + everybody = everybody
Role1 + nobody = nobody
 
Stoian Azarov
Ranch Hand
Posts: 113
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then it is good to correct the errata because someone reported the same mistake(wrong correction).

And this proposition even got approved
Errata - Page 843 Question 30
 
Piyush Joshi
Ranch Hand
Posts: 207
Eclipse IDE Firefox Browser jQuery
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes the errata should be corrected.

Servlet 3.0 specification section 13.8 says:
If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication.


also in the HFSJ book at page 668 it's mentioned as:
If an <auth-constraint> does NOT exist, the Container MUST allow unauthenticated access for these URLs.


Then for combining constraints:

Servlet 3.0 Specification section 13.8.1 says:
A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access.


From this, its clear that the option D is correct.

But how to correct the errata? Should another errata be raised to correct it?
 
Stoian Azarov
Ranch Hand
Posts: 113
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have seen many duplicate reports, so I suppose that there is not established process of editing the existing posts.
Even though we might ask o'reilly for any case.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic