security

<security-constraint>
<web-resource-collection>
<web-resource-name>retail</web-resource-name>
<url-pattern>/acme/retail/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>CONTRACTOR</role-name>
<role-name>HOMEOWNER</role-name>
</auth-constraint>
</security-constraint>


Here there is no <http-method> element. This means that nobody can make a request to /acme/retail/* (even CONTRACTOR and HOMEOWNER or anyone who doesnt hav a role defined).

is this right ?

thnx in advance

rgds,
Sharath

hi,
Yes dude i think u are right well atleast thats what the HFS book says....
"if there were not <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP methods are allowed by anyone in any role...".. well i too have the same interpretation as u \
Regards
Simon

Originally posted by Sharath KM:
<security-constraint>
<web-resource-collection>
<web-resource-name>retail</web-resource-name>
<url-pattern>/acme/retail/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>CONTRACTOR</role-name>
<role-name>HOMEOWNER</role-name>
</auth-constraint>
</security-constraint>


Here there is no <http-method> element. This means that nobody can make a request to /acme/retail/* (even CONTRACTOR and HOMEOWNER or anyone who doesnt hav a role defined).

is this right ?

thnx in advance

rgds,
Sharath

Hi,

It will give access to CONTRACTOR and HOMEOWNER only for the /acme/retail/* resource for all the methods ( Definded in the resource). No other user can access this resource.

Thanks

hi Narendra,

i didnt get u. can u plz explain it once again ?

Hi,

The auth-constraint apply to the combination of URL pattern + http method.
The access permission is granted to the user/roles definded in the <auth-constraint> for the combination of url pattern and http method. Here there is no http-method definded. so the access granted to URL Pattern + ALL http methods.

It is equivalent to

<url-pattern>/acme/retail/*</url-pattern>
<http-method>GET</hhtp-method>
<http-method>POST</hhtp-method>
<http-method>PUT</hhtp-method>
<http-method>TRACE</hhtp-method>
<http-method>HEAd</hhtp-method>
<http-method>OPTION</hhtp-method>
..... ALL HTTP METHODS ......

My point is that if no http-method specified, It assume that all the methods are constraints and give permission to only the role name defined in the <auth-constraint> sub-entry.

If you specify only one http-method say POST. Any user can access the resource without any authentication for the http-method other than POST. Even the container does not display your authentication screen for these methods as your resource is not secure for these methods. But for the POST method, the user must be authenticated and must be match to the role names specified in the <auth-constraint>.

Also you can access the resource, if the corresponding doXXX method defined in the servlet. If other methods in the Servlet other than POST is not implemented, then there is no use to apply constaint for all methods in most of cases as the default implementation throw exception.

Hope this help

Thanks

hi,
thnx a lot narendra. i had this doubt for a very long time. but i asked it today. now i am clear with this. actually i had refered to errata long back and thr was a bit of confusion. anyways thnx.