Last week, we had the author of TDD for a Shopping Website LiveProject. Friday at 11am Ranch time, Steven Solomon will be hosting a live TDD session just for us. See for the agenda and registration link
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

<auth-constraint>

 
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Inside <security-constraint> element
what would be result for a combination of these 2 <security-constraint> elements:

<security-constraint>
...
<auth-constraint>
<role-name >*</role-name> //Everybody
</auth-constraint>
</security-constraint>

<security-constraint>
...
<auth-constraint>
</auth-constraint> //nobody
...
</security-constraint>
 
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi..........

I think that no user is allowed to access, since the spec says: "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."

so when there is condition like nobody and everybody-->nobody........

am i correct....if wrong please correct me
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes,

<auth-constraint></auth-constraint>
or
<auth-constraint/>

means that NO USER is allowed access to the resouce outlined in the <web-resource-collection> element;
however, it does not restrict other resources within the same application from accessing the resource.

Please also note: The "*" will allow access to all role names defined in the deployment descriptor

Also, some folks have been asking for sources so this is direct from SUN:

An authorization constraint establishes a requirement for authentication and names the roles authorized to access the URL patterns and HTTP methods declared by this security constraint. If there is no authorization constraint, the container must accept the request without requiring user authentication. If there is an authorization constraint, but no roles are specified within it, the container will not allow access to constrained requests under any circumstances. The wildcard character * can be used to specify all role names defined in the deployment descriptor. Security roles are discussed in Working with Security Roles.



http://docs.sun.com/app/docs/doc/819-3669/bncbk?a=view
 
Why should I lose weight? They make bigger overalls. And they sure don't make overalls for tiny ads:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic