Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

A mock question about security

 
avseq anthoy
Ranch Hand
Posts: 106
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Consider the web.xml snippet shown in the exhibit.
exhibit:
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/jsp/protected.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>

Now consider the code for a jsp file named unprotected.jsp:

<html>
<body>
<jsp:include page="/jsp/protected.jsp" />
</body>
</html>
Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?


Select 1 correct option.
a The user will be prompted to enter user name and password.

b An exception will be thrown.

c protected.jsp will be executed but it's output will not be included in the response.

d The call to include will be ignored.

e None of these.

answer:e

I think answer is a,correct me if I am wrong.
Thx!!
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Whether /jsp/protected.jsp is a constrained resource is not important here. Just like a private method been called by another method. It all depends on the page including the /jsp/protected.jsp. So e is correct.
 
avseq anthoy
Ranch Hand
Posts: 106
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thx for your reply.
I want ask another question.
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/jsp/protected.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>
If I don't define <http-method> in web-recource-collection.
Does it mean that manager can't request protected.jsp by any method?
or
manager can request protected.jsp by any method?
Which combination is correct?
Thx!!
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are using HFSJ, its errata is the errata! The book's original description is correct.

Anyway, without <http-method>, ALL http methods are constrained according to the <security-constraint> defined.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic