• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

web app security - Dueling auth-constraint elements

 
Vidya Sethuraman
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have a doubt regarding Deuling <auth-constraint> elements.
How does the container resolve access
if one security-constraint, has empty <auth-constraint/> tag and
the other constraint has
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Which one does it consider?
Allow access to everybody or allow access to nobody.

Thanks!
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ithink this is described in the spec :

SRV.12.8.1 Combining Constraints

The special case of an authorization
constraint that names no roles shall combine with any other constraints to override
their affects and cause access to be precluded.

So nobody will have access. If anybody could comment on that, I'm not feeling 100% sure.
 
Vidya Sethuraman
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Thanks for the quick reply! I read the spec and I think an empty <auth-constraint> is always the final word!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic