Carmille Llo

Maybe I'm not picturing this correctly.

What I see is at first the DD looks something like this:

<security-contraint> <web-resource-collection> <web-resource-name>SomeResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>student</role-name> </auth-constraint> </security-contraint> <security-contraint> <web-resource-collection> <web-resource-name>AnotherResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-contraint>

which I understand that the <auth-constraint/> in the second <security-contraint> prevents anyone from accessing the resource.

Now when the multiple choice says "If the second <auth-constraint> tag is removed", does it mean this:

<security-contraint> <web-resource-collection> <web-resource-name>SomeResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>student</role-name> </auth-constraint> </security-contraint> <security-contraint> <web-resource-collection> <web-resource-name>AnotherResource</web-resource-name> <url-pattern>/some/*</url-pattern> </web-resource-collection> </security-contraint>

If so, then from what I understand, the second <security-contraint> is allowing everyone to access, while the first <security-contraint> only allows students to access. And then from rule 4 of pg 671 of the book, the 2 constraints combine and in turn allows everyone to access.

What is it that I'm picturing wrong here?

Thanks for your help Ranjit!

Hi,

Q30 says:

Your web application has a valid deployment descriptor in which student and sensei are the only security roles that have been defined. The deployment descriptor contains two security constraints that declare the same resource to be constrained. The first security constraint contains:

234. <auth-constraint> 235. <role-name>student</role-name> 236. </auth-constraint>

And the second security constraint contains:
251. <auth-constraint/>

Which are true?

A. As the deployment descriptor stands now, the constrained resource can be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by student users.

The book indicated that D was correct, which I agreed.

But under the errata list, it says that F was the correct answer instead. And this confuses me because in the book on pg. 671, rule 4 states that:

If one of the <security-constraint> elements has no <auth-constraint> element, it combines with anything else to allow access to everybody.

So which part is correct?

Thanks,
C