• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

<security-constraint> in web.xml (http-method)

 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have doubts in <http-method> under <security-constraint>.


<security-constraint>
<web-resource-collection>
<url-pattern>/TestConnectionServlet</url-pattern>
<http-method>get</http-method>
</web-resource-collection>
<auth-constraint>
<description>only member</description>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>

here if user role is member then that user can access GET method of /TestConnectionServlet but any other user with other role can access any method of TestConnectionServlet except GET method.

if above statement is correct then if i remove <http-method> then according to Head First
if there is no <http-method> in <web-resource-collection> , it would mean that NO HTTP methods are allowed by anyone in any role.
so assume that i removed <http_method> then i should not get access of TestConnectionServlet.
but still i m getting the access. WHY ?

I m using NETBEANS 6.5 and TOMCAT 6.0.14

What is meaning of all methods are constrained?

THANKS IN ADVANCE
MANISH

 
Ranch Hand
Posts: 72
Android Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

<security-constraint>
<web-resource-collection>
<url-pattern>/TestConnectionServlet</url-pattern>
<http-method>get</http-method>
</web-resource-collection>
<auth-constraint>
<description>only member</description>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>



This means when /TestConnectionServlet is accessed using GET http Method, allow only Member after user's authentication. Rest http methods are not constrained (No restrictions).

If you have <http-method>, only those methods which are explicitly mentioned are constrained. Remember the constraints are not set at resource levels, they are set for http methods only !
So when you remove the <http-method> totally, it means only allow member to access that resource for all methods.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic