• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HF security-constraint p. 660

 
Terry Martinson
Ranch Hand
Posts: 293
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am confused about something on p. 660 of the Head First book.
Here is the security constraint they are working with:


<web-app...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Stuff</web-resource-name>
<url-pattern>/foo/bar/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>


At the bottom right of the page it says "We left off <http-method> so that NO HTTP Methods are accessible to anyone except Admins."

But if you look back on p. 634, it says on the comment at bottom right:
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."

I may be missing something here, but I thought that leaving them out would mean NO methods allowed for anyone.
(I checked in the errata and didn't see anything on this.)

Thoughts anyone???

TJ
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Terry,

By having zero <http-method>, we're constraining all the HTTP methods. And only users with the admin role can invoke these methods.

I think its a matter of how they phrased it that confused you.

HTH.
 
Terry Martinson
Ranch Hand
Posts: 293
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm still a bit confused. So, in the situation listed, can Admin role invoke any HTTP methods?

TJ
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep, users with admin role can certainly invoke any of the HTTP methods. But anyone who does not have the admin role, cannot invoke any HTTP methods at all since they're all constrained.

HTH.
 
Bert Bates
author
Sheriff
Posts: 8905
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Terry,

Thanks for your question.

I think that your confusion is reasonable, mostly because I think the big annotation on page 634 could be worded better, (and might actually be wrong... horrors!). So, what if the first sentence of the annotation read something like this:

"If there were NO <http-method> elements declared in the <w-r-c> it would mean that ALL methods are constrained, and can ONLY be accessed by those roles defined in the <auth-constraint> element."

Would that be clearer?

Thanks,

Bert
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It certainly sounds very clear to me now

Would it be in the official errata or would it be updated for 2nd ed?
 
Terry Martinson
Ranch Hand
Posts: 293
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Bert and Cheng. Now it all makes sense.
I did submit this out at the errata site late last week.

TJ
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic