• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security Authorization Doubt

 
shiva viswanathan
Ranch Hand
Posts: 152
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All ,

I have some scenarios about authorization which i am not very clear on

1.

<security-constraint>

.....

<http-method>GET</http-method>


<security-constraint>

(ie no <auth-constraint> )
What is the permissions of the users in such a case .
Does no role have access to GET method . What about other methods

2.

<security-constraint>
..........

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

(ie no HTTP method)

This means that Admin has access to all the methods what about other users


3.
<security-constraint>

.....

<http-method>GET</http-method>

</auth-constraint>
<security-constraint>

(ie empty auth-constraint with no role names )
What is accessibiltiy of GET and what about other methods.

I think this is one of the most confusing topics (of which even the authors are not sure :-) )

Can anyone please clarify . If possible sombody can provide a matrix of the possible combinations

Thanks
Shiva
 
Ruchi Kumar
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )
<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.

<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)
You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence, everybody has access to ALL methods on the url-pattern.

<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )
I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET), everybody has access to them on the given url-pattern.

Please make sure u have the errata marked on ur copy of HFSJ, then the whole concept is crystal clear from the book itself.

In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.

Hope this helps!
Regards,
Ruchi.
[ June 01, 2005: Message edited by: Ruchi Kumar ]
 
shiva viswanathan
Ranch Hand
Posts: 152
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ruchi ,

</auth-cosntraint> was a type error

Anyway I had read already about the errate but still wasnt clear

Now I am pretty clear thanks to you.

But are you sure about the 2nd question since the permission of everbody (other than admin) should be no methods since no http-method tag means all methods are accessible by Admin , doesnt this automatically mean that others dont have permission on any of the methods

Thanks
Shiva
 
Sanjay pts
Ranch Hand
Posts: 357
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ruchi
can u plz send me link that where can i find this.

SVR.12.8.2, Page 98.

???
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic