• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

Authorisation related

 
Ranch Hand
Posts: 183
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


"BY MISTAKE I posted this question in the forum - HTML and javascript".Please remove it from there but not from here "


Suppose the DD has two roles defined - Admin and User.
Suppose there are two <security-constraint> elements in th DD. Both constrain the same
resource. One of them DOES NOT have a <auth-constraint> element.

The web.xml
-------------------




<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>SS</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityQ</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>


<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>user</role-name></security-role>





When I requested /mini/yes in Tomcat 5.5 it did NOT ask for any authentication i.e.
it allows unauthenticated access to all the roles. There is a similar question in Katy Sierra Mock Exam (2nd Edition) - Q 30 . According to the Errata , only "user" role should be allowed access . WHY?


The Servlet Spec says ( which is not very clear ) :-

SRV 12.8.1
--------------
"A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access."




My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others
 
Creator of Enthuware JWS+ V6
Posts: 3398
312
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Simran,

My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others



There are two possibilities:
  • <security-constraint> with NO <auth-constraint> combined with <security-constraint> with <auth-constraint></auth-constraint> means NOBODY has access
  • <security-constraint> with NO <auth-constraint> combined with any other <security-constraint> means EVERYBODY has access

  • Regards,
    Frits
     
    Ranch Hand
    Posts: 2066
    IntelliJ IDE Clojure Linux
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    With your constraints, every one can access the resources. And further, can you post the K&B's book question?
     
    Simran Dass
    Ranch Hand
    Posts: 183
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Thankyou.

    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL " .
     
    Frits Walraven
    Creator of Enthuware JWS+ V6
    Posts: 3398
    312
    Android Eclipse IDE Chrome
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL "


    Yes it does.

    Regards,
    Frits
     
    Simran Dass
    Ranch Hand
    Posts: 183
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Thaks a lot Frits
     
    With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    reply
      Bookmark Topic Watch Topic
    • New Topic