• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Enthuware mck exam : http-method in security-constraint

 
Sim Kim
Ranch Hand
Posts: 268
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is from Enthuware mock exam :

<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>


When there is no <http-method> element in <security-constraint>, all methods are protected or all are exempted ?
 
Dale Seng
Ranch Hand
Posts: 275
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Leaving out the http-method is the same as listing every one (ie <http-method>GET</http-method> <http-method>POST</http-method> etc). So it's a pretty good way to do it. If you put just one method, that opens-up a hole for other methods. In other words, if you put only <http-method>GET</http-method>, people could get to your resource through the POST method without authentication, and you may not have wanted that.

--Dale--
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic