Confused about HFSJ 2nd Ed Final Mock Exam Q30

Hi,

Q30 says:

Your web application has a valid deployment descriptor in which student and sensei are the only security roles that have been defined. The deployment descriptor contains two security constraints that declare the same resource to be constrained. The first security constraint contains:

234. <auth-constraint> 235. <role-name>student</role-name> 236. </auth-constraint>

And the second security constraint contains:
251. <auth-constraint/>

Which are true?

A. As the deployment descriptor stands now, the constrained resource can be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by student users.

The book indicated that D was correct, which I agreed.

But under the errata list, it says that F was the correct answer instead. And this confuses me because in the book on pg. 671, rule 4 states that:

If one of the <security-constraint> elements has no <auth-constraint> element, it combines with anything else to allow access to everybody.

So which part is correct?

Thanks,
C

Option D is wrong because , when the second constraint tag is removed , the constrained resource can be accessed only by "student" roles , not by both sensei and student roles.


<auth-constraint/> or <auth-constraint></auth-constraint> is an empty tag.

This is not same as "no <auth-constraint> element" which means the absence of the tag.

-HTH

Maybe I'm not picturing this correctly.

What I see is at first the DD looks something like this:

<security-contraint> <web-resource-collection> <web-resource-name>SomeResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>student</role-name> </auth-constraint> </security-contraint> <security-contraint> <web-resource-collection> <web-resource-name>AnotherResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-contraint>

which I understand that the <auth-constraint/> in the second <security-contraint> prevents anyone from accessing the resource.

Now when the multiple choice says "If the second <auth-constraint> tag is removed", does it mean this:

<security-contraint> <web-resource-collection> <web-resource-name>SomeResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>student</role-name> </auth-constraint> </security-contraint> <security-contraint> <web-resource-collection> <web-resource-name>AnotherResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> </security-contraint>

If so, then from what I understand, the second <security-contraint> is allowing everyone to access, while the first <security-contraint> only allows students to access. And then from rule 4 of pg 671 of the book, the 2 constraints combine and in turn allows everyone to access.

What is it that I'm picturing wrong here?

Thanks for your help Ranjit!

Yes, should be all can access.

Unless it said the second <security-constraint> removed, then the answer is only student can access.

May be you can report another errata to revert the current errata ... confuse.

Hi Lee,

Unless it said the second <security-constraint> removed, then the answer is only student can access.

Even if there exists a <security-constraint>for a component and there's no mention of the <auth-constraint>element, it means that everyone including the student role is granted access to that resource.

Hence Carmille, you are correct in your reasoning.

You can raise an errata to correct this errata as Lee pointed out.