• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HFSJ - errata

 
Gouri Bargi
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am currently preparing for SCWCD, using Head First Servlet and JSP. The book is really good, but watch out for the errata - the size of errata is quite large, and it contains many technical errors.

Anybody referring this book do check the errata atHFSJ Errata Page
 
Nicky Eng
Ranch Hand
Posts: 378
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
since you're preparing SCWCD....so could you tell me which version of JDK or JRE and which version of tomcat you using for preparation?? and each steps to do downloading which file and setting ....?

yes i have downloaded the errata for HFSJ, so that i can review it when i study HFSJ.

hope you could help me..

thanks first
 
Gouri Bargi
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Nicky,

I am using JDK 1.4, JRE 1.4.2 and Tomcat 5.5. I do not think the specific version really matters. As long as we are using J2EE1.4 complient JRE and web server, it should work.

- Gouri
 
Nicky Eng
Ranch Hand
Posts: 378
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i see...

i downloaded the (binary).exe file under tomcat 5.5.9, in this PAGE .... and i have JRE 5.0 ... enough to run tomcat 5.5.x version..??
 
Gouri Bargi
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Nicky,

I am using JRE 1.4.2 with Tomcat 5.5.9, because that is a requirement for some project I am doing. This required some configuration.

As per Tomcat5.5.9 Release notes, Tomcat 5.5 is designed to run on J2SE 5.0 and later. So Tomcat 5.5.9 with JRE 5.0 should be fine.

- Gouri
 
Will Lee
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a question about the errata on security part: On page 634 (ch 12), the book said on hand-draw diagram:
If there were (are) NO <http-method> elements, in the <web-resource-collection>, it would mean that NO Http methods are allowed...

The errata changes it to:
If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL Http methods are allowed...


However on the following page P635, both two diagrams emphasize that:

....All methods are constrained simple by not putting in ANY <http-method> elements



...If you do NOT sepcify any <http-method>, you're constraining ALL http methods


Who should I trust?
 
Mat Williams
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

here is a quote from the servlet specification

SRV.12.8.3 Processing Requests
When a Servlet container receives a request, it shall use the algorithm described in SRV.11.1 to select the constraints (if any) defined on the url-pattern that is the best match to the request URI. If no constraints are selected, the container shall accept the request. Otherwise the container shall determine if the HTTP method of the request is constrained at the selected pattern. If it is not, the request shall be accepted. Otherwise, the request must satisfy the constraints that apply to the http-method at the url-pattern. Both of the following rules must be satisfied for the request to be accepted and dispatched to the associated servlet.


I have added the bold.

I hope this clears it up

Mat
 
Will Lee
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two scenario: First:
<security-constraint>
<web-resource-collection>
<web-resource-name>ABCDE</web-resource-name>
<url-pattern>/beer/AddRecipe/*</url-pattern>
<http-method>GET</http-method>
<web-resource-collection>

.......
</security-constraint>

Second:
<security-constraint>
<web-resource-collection>
<web-resource-name>ABCDE</web-resource-name>
<url-pattern>/beer/AddRecipe/*</url-pattern>
<!-- http-method>GET</http-method -->
<web-resource-collection>

.......
</security-constraint>

All the errata, specification and the HFSJ agree on first scenerio: you specified only GET method, therefore this method is NOT allowed, all other requests should be OK to access resource.

However on the 2nd scenerio, can I assume, based on specification, that all requests will be allowed since no anyone is constrainted.
But the whole Page 635 (especially the last two sentence) emphasizes the opposite answer! The author put so many effort to point this out!
 
Mat Williams
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Security is not my strongest point as I never use the built in security.

The way I read the specification is that if there are no <http-method> elements then nothing is constrained but this doesn't make sense, so I went looking on the Sun site and came up with this url (which suprisingly is to the whizlabs site). It clearly states that the default, if there are no <http-method> elements is to constrain all methods which a) makes sense and b) seems to ring a bell from when I tested in the past.

Sorry for the previous confusion, I am not having a good day.

Mat
 
Will Lee
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you so much for taking time! And Have a good day today!
Yes, you are right. I wrote a small jsp file to test the web.xml, the results are:
w/out <auth-constraint>, everything is allowed;
w/ this sub-element:
if <web-resource-collention> has NO <http-method>, it constraint all request. Any request w/out correct username/pwd will failed

The original book is correct, the errata made error
Therefore, Errata should have an errata for itself!
[ September 12, 2005: Message edited by: Will Lee ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic