security-constraint question
Leandro Melo
Ranch Hand
Posts: 401
posted 11 years ago
Hi.
I've just read a couple of confusing pages of HFSJ. Those are pages 634-635!
I just can't get this contradictory stuff about 'http-method' element.
The book says something, the errata says other. These two pages are too weird.
Is there a final veredict :-)?
So, if I DON'T put any 'http-method' element under 'web-resource-collection', will ALL the HTTP methods be ALLOWED or CONSTRAINED???
Thanks.
[ July 27, 2005: Message edited by: Leandro Melo ]
I've just read a couple of confusing pages of HFSJ. Those are pages 634-635!
I just can't get this contradictory stuff about 'http-method' element.
The book says something, the errata says other. These two pages are too weird.
Is there a final veredict :-)?
So, if I DON'T put any 'http-method' element under 'web-resource-collection', will ALL the HTTP methods be ALLOWED or CONSTRAINED???
Thanks.
[ July 27, 2005: Message edited by: Leandro Melo ]
Leandro Melo
SCJP 1.4, SCWCD 1.4
PNS Subramanian
Ranch Hand
Posts: 150
posted 11 years ago
My understanding is as follows
Any other views on this ?
What ever is mentioned in the <http-method> </http-method> tag is CONSTRAINED since it is within the <security-constraint> tag.
<security-constraint>
<web-resource-collection>
<web-resource-name> <web-resource-name>
<url-pattern> </url-pattern>
<http-method> </http-method>
</web-resource-collection>
</security-constraint>
Any other views on this ?
Osama Hasan
Ranch Hand
Posts: 53
shiva viswanathan
Ranch Hand
Posts: 152
posted 11 years ago
HI ,
This question has been discussed extensively before itself
And the verdict is when there is no http-method no methods are constrained
In fact one of them had tried out the possible combinations and this is
how it worked
*** Combination of http-method and auth-constraint
--------------------------------------------------------------------
http-methodauth-constraintresult
--------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name tomcat valid login allowed
invalid login not allowed
GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed
--------------------------------------------------------------------
Additional explanation and scenarios
1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )
<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.
2.
<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)
You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence, everybody has access to ALL methods on the url-pattern.
3
<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )
I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET), everybody has access to them on the given url-pattern.
In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.
Thanks
Shiva
This question has been discussed extensively before itself
And the verdict is when there is no http-method no methods are constrained
In fact one of them had tried out the possible combinations and this is
how it worked
*** Combination of http-method and auth-constraint
--------------------------------------------------------------------
http-methodauth-constraintresult
--------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name tomcat valid login allowed
invalid login not allowed
GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed
--------------------------------------------------------------------
Additional explanation and scenarios
1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )
<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.
2.
<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)
You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence, everybody has access to ALL methods on the url-pattern.
3
<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )
I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET), everybody has access to them on the given url-pattern.
In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.
Thanks
Shiva
Leandro Melo
Ranch Hand
Posts: 401
posted 11 years ago
Hi Shiva.
I think you contradicted yourself a little :-). Your above sentence doesn't match with all the explanation. Take a carefull read.
Anyway, I found 3 posts about this on the ranch. The biggest and more clarifying one is this one: http://www.coderanch.com/t/169402/java-Web-Component-SCWCD/certification/multiple-security-constraint-elements
It explains everything.
Also, I confirmed all the information on the 2.4 servlet spec (page 133) and the final veredict is (check the spec if you need).
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
And just for completness, this goes agains the errata for HFSJ.
Originally posted by shiva viswanathan:
And the verdict is when there is no http-method no methods are constrained
I think you contradicted yourself a little :-). Your above sentence doesn't match with all the explanation. Take a carefull read.
Anyway, I found 3 posts about this on the ranch. The biggest and more clarifying one is this one: http://www.coderanch.com/t/169402/java-Web-Component-SCWCD/certification/multiple-security-constraint-elements
It explains everything.
Also, I confirmed all the information on the 2.4 servlet spec (page 133) and the final veredict is (check the spec if you need).
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
And just for completness, this goes agains the errata for HFSJ.
Leandro Melo
SCJP 1.4, SCWCD 1.4
shiva viswanathan
Ranch Hand
Posts: 152
posted 11 years ago
Hi Leandro ,
Just noticed the difference between what i specified and what you specified
I specified
------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------
You specified
------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------
There is a subtle difference in words and i think both mean the same
Say for eg if we have a user role admin with no http-method specified
This means that admin can access all methods
Is this what your sentence also conveying since my sentence is exatly conveying that .
PLease confirm this.
Thanks
Shiva
Just noticed the difference between what i specified and what you specified
I specified
------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------
You specified
------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------
There is a subtle difference in words and i think both mean the same
Say for eg if we have a user role admin with no http-method specified
This means that admin can access all methods
Is this what your sentence also conveying since my sentence is exatly conveying that .
PLease confirm this.
Thanks
Shiva
Jingh Yi
Ranch Hand
Posts: 90
posted 11 years ago
Shiva,
I think they are totally different.
For your example, if we have a user role admin contraint with no http-method specified, your saying:
means there is no constraints what so ever for all http methods. In other words, this means, all users can access all http methods.
But Melo's saying:
means only user role admin can access all HTTP methods. Other user roles can't access any HTTP methods.
I agree with Melo.
Am I right?
Thanks,
Jenny
I think they are totally different.
For your example, if we have a user role admin contraint with no http-method specified, your saying:
------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------
means there is no constraints what so ever for all http methods. In other words, this means, all users can access all http methods.
But Melo's saying:
------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------
means only user role admin can access all HTTP methods. Other user roles can't access any HTTP methods.
I agree with Melo.
Am I right?
Thanks,
Jenny
Leandro Melo
Ranch Hand
Posts: 401
posted 11 years ago
No Shiva!!! Absolutely not!
If I was to say the sentence in your words, it would be like this:
And the verdict is when there is no http-method ALL methods are constrained
That's what the spec says. Is the difference clear now???
Originally posted by shiva viswanathan:
Hi Leandro ,
Just noticed the difference between what i specified and what you specified
I specified
------------------------------------------------------------------
And the verdict is when there is no http-method no methods are constrained
------------------------------------------------------------------
You specified
------------------------------------------------------
If no HTTP methods are specified then the security constraint applies to all HTTP methods.
----------------------------------------------------------
There is a subtle difference in words and i think both mean the same
No Shiva!!! Absolutely not!
If I was to say the sentence in your words, it would be like this:
And the verdict is when there is no http-method ALL methods are constrained
That's what the spec says. Is the difference clear now???
Leandro Melo
SCJP 1.4, SCWCD 1.4
| Did you see how Paul cut 87% off of his electric heat bill with 82 watts of micro heaters? |