security-constraint question

Hi.
I've just read a couple of confusing pages of HFSJ. Those are pages 634-635!
I just can't get this contradictory stuff about 'http-method' element.
The book says something, the errata says other. These two pages are too weird.
Is there a final veredict :-)?
So, if I DON'T put any 'http-method' element under 'web-resource-collection', will ALL the HTTP methods be ALLOWED or CONSTRAINED???
Thanks.
[ July 27, 2005: Message edited by: Leandro Melo ]

My understanding is as follows

What ever is mentioned in the <http-method> </http-method> tag is CONSTRAINED since it is within the <security-constraint> tag.

<security-constraint>
<web-resource-collection>
<web-resource-name> <web-resource-name>
<url-pattern> </url-pattern>
<http-method> </http-method>
</web-resource-collection>
</security-constraint>

Any other views on this ?

Hi!
I think that if no <http-method> element is present in the <web-resource-collection> then the constraint applies to all of the http methods.
[ July 28, 2005: Message edited by: Osama Hasan ]

HI ,

This question has been discussed extensively before itself

And the verdict is when there is no http-method no methods are constrained

In fact one of them had tried out the possible combinations and this is
how it worked


*** Combination of http-method and auth-constraint
--------------------------------------------------------------------
http-methodauth-constraintresult
--------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name tomcat valid login allowed
invalid login not allowed

GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed
--------------------------------------------------------------------



Additional explanation and scenarios

1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )

<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.

2.
<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)

You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence, everybody has access to ALL methods on the url-pattern.

3
<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )

I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET), everybody has access to them on the given url-pattern.

In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.

Thanks
Shiva

Hi Shiva.

Originally posted by shiva viswanathan:

And the verdict is when there is no http-method no methods are constrained

I think you contradicted yourself a little :-). Your above sentence doesn't match with all the explanation. Take a carefull read.

Anyway, I found 3 posts about this on the ranch. The biggest and more clarifying one is this one: https://coderanch.com/t/169402/java-Web-Component-SCWCD/certification/multiple-security-constraint-elements
It explains everything.
Also, I confirmed all the information on the 2.4 servlet spec (page 133) and the final veredict is (check the spec if you need).

If no HTTP methods are specified then the security constraint applies to all HTTP methods.

And just for completness, this goes agains the errata for HFSJ.

Hi Leandro ,

Just noticed the difference between what i specified and what you specified

I specified
------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------

You specified

------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------
There is a subtle difference in words and i think both mean the same


Say for eg if we have a user role admin with no http-method specified
This means that admin can access all methods

Is this what your sentence also conveying since my sentence is exatly conveying that .


PLease confirm this.

Thanks
Shiva

Shiva,

I think they are totally different.

For your example, if we have a user role admin contraint with no http-method specified, your saying:

------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------

means there is no constraints what so ever for all http methods. In other words, this means, all users can access all http methods.

But Melo's saying:

------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------

means only user role admin can access all HTTP methods. Other user roles can't access any HTTP methods.

I agree with Melo.

Am I right?

Thanks,
Jenny

Originally posted by shiva viswanathan:
Hi Leandro ,

Just noticed the difference between what i specified and what you specified

I specified
------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------

You specified

------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------
There is a subtle difference in words and i think both mean the same

No Shiva!!! Absolutely not!
If I was to say the sentence in your words, it would be like this:

And the verdict is when there is no http-method ALL methods are constrained

That's what the spec says. Is the difference clear now???