This week's book giveaway is in the Android forum.
We're giving away four copies of Learning Java by Building Android Games and have Jean-Marcel Belmont on-line!
See this thread for details.
Win a copy of Learning Java by Building Android Games this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • Devaka Cooray
Saloon Keepers:
  • Ganesh Patekar
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • salvin francis
Bartenders:
  • Ron McLeod
  • Frits Walraven
  • Pete Letkeman

Question about security constraints  RSS feed

 
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Question:

if I have these security settings in the DD:

<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>*</auth-constraint>
</web-resource-collection>
<security-constraint>

then I have....

<security-constraint>
<web-resource-collection>
<web-resource-name>c2</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint />
</web-resource-collection>
<security-constraint>

what roles are valid and what roles are not?
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

If we have more than one security constraints matching for a url pattern then the rules are follows:

1. Union of individual constraints is taken.
2. If one of the constraints is a "*" then all the roles have access to the given methods.
3. If we have one empty auth constraint then none of the roles will have access to the given method.

In your question since you have an empty auth-constraint in the second one hence none of the roles will have access to the given methods.

Regards,
Radhika
 
Ernesto Leyva
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So this means the

<auth-constraint />

overrides the

<auth-constraint>*</auth-constraint>

Thanks
 
Ernesto Leyva
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was reading the spec and I just want to confirm.
Check 1st and 2nd security constraints the first one
will require anyone to authenticate (username/password)
however the second one grant unathenticated access to
all resources. In this case the second constraint will
overlap the first one invalidating the auth-constraint
for role1 someone knows if this is right?


<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>role1</auth-constraint>
</web-resource-collection>
<security-constraint>

then I have....

<security-constraint>
<web-resource-collection>
<web-resource-name>c2</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<security-constraint>
 
Ranch Hand
Posts: 100
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ernesto,

Since in the second you didn't specify an <auth-constraint> tag, then this allows all users to access the resource which is directly opposite if you put an empty body <auth-constraint> tag.

Hope this helps.
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I think there is somthing wrong in your web.xml.

<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>


This should be
<security role>
<role-name>role1</role-name>
</security-role>

<security-role>
<role-name>role2</role-name>
</security-role>


<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>role1</auth-constraint>
</web-resource-collection>
<security-constraint>



this should be

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</web-resource-collection>
<security-constraint>

For the * in auth-constriant

<security-constraint>
<web-resource-collection>
<web-resource-name>c1</web-resource-name>
<url-pattern>*.do</url-pattern>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</web-resource-collection>
<security-constraint>

If the <auth-constarint/> occurs, then the access is denied for all the maching urls and http methods though it were defined under different web-resource-collection with any auth-constraint for matchong url and http-method.

Hope it help you

Thanks
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!