• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

no http-method

 
louise rochford
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kathy, Bert, Bryan help!

I'm well confused now.
If you specify no <http-method>s in the w-r-c, does this mean ALL http methods are allowed, or NO http methods are allowed.
The book & other posts on this forum say none (all constrained), but the book errata page sates "If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed."

If the book errata is correct, how do you make all the http methods constained? list them all?

Thanks in advance,
Louise
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think the confusion might arise when you take the concept of "allowed" (whatever that means), confuse it with "constrained", and then apply concepts like "all" or "none" to either one, interchangeably.

A security-constraint is applied to a web-resource-collection.

Optionally, the web-resource-collection might have fine-grained http-methods.

So if your constraint for certain resources contains no method specifications, then the constraint is applied to "all" (since applying it to "none" wouldn't make any sense; what was the point?).

The moment you specify at least one method, the constraint is only applied against the (list of) method(s). If you specify only one method then, the constraint only applies when accessed by that method.

Without looking at the book and knowing the context, and from the errata alone, I can venture that it should (might?) have been written as:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are constrained."

I reserve the right to change my mind after looking at page {634}
[ November 23, 2004: Message edited by: Mike Curwen ]
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, I've checked out page 634, and I stand by my correction to the errata.
The book should read: "If there wer NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP methods were constrained."
 
louise rochford
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mike,
I'm with you & have submitted the errata correction.
Bet they don't test it & I'll never use it in practice... but it would have bugged me if you hadn't cleared it up.

Thanks for your help,
Louise
 
shankar valiinaykam
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Guys,

I understood that if no <http-method> is present in <web-resource-collection> all methods are constrained. I dont deny that. At the same, all those http methods should be constrained to the ROLES MENTIONED in <auth-constraint> tag right? Other roles cannot access them.

I saw hand-written note in HFS book that if no http method is present, then no http method can be accessed by ANYONE in any role. Sorry guys, i dont remember the page no. But it is close to p-634. Can somebody clarify this, please?

Thanks,
Shankar
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic