• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security constraint - regarding

 
Sub swamy
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
According to HFSJ, an empty <auth-constraint> element combines with anything to ensure that nobody has access to the constrained resource, while ignoring <auth-constraint> element ensures that all have access. What if the two are mentioned together in a DD, for the same <web-resource-collection> ?
[ December 11, 2005: Message edited by: Subramanian PN ]
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is explained in the servlet spec (SRV. 12.8.1 Combining Constraints)

"The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
 
Vishnu Prakash
Ranch Hand
Posts: 1026
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

What if the two are mentioned together in a DD, for the same <web-resource-collection> ?


No one outside the web-application will have access to the resource.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic