• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

security-constraint + http-methods

 
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi folks, please help me here: (please, pay attention in capital letters).

"If there are NO <http-method>" elements, in the <web-resource-collection>, it would mean that NO http methods are allowed, by ANYONE in ANY role".

"But since we did put in one for GET, it means that ONLY GET is constrained, BUT "ANYONE" IN "ANY" role CAN access POST (or other HTTP methods for instance)."

and here:

"if you DO specify an <http-method> then only those methods specified will be constrained. In other words, once you specify even a single <http-method> YOU AUTOMATICALLY *ENABLE* ANY HTTP METHODS WICH YOU HAVE *NOT* SPECIFIED"


Could you explaim it to me please?

Tks.
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Let me try to improve my question.

<security-constraint>
<web-resource-collection>
<web.resouorce-name>TEST</web.resouorce-name>
<url-pattern>/MyPath/*</url-pattern>
<http-method>GET</http-method>
<web-resource-collection>
<auth-constraint>
<role-name>Member</role-name>
</auth-constraint>
<security-constraint>

Member is allowed to access to "/MyPath/MyServlet" resource via GET - TRUE

My questions are:

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ??

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ??

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ??

Tks in advance.
 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My answers are :

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ?? - NO

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ?? - NO

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ?? - YES
 
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1) YES
2) NO
3) YES
 
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Felipe Pittella:

1-is Member allowed to access to "/MyPath/MyServlet" resource via *POST* ??

2-is Admin(role not speficied for that web-resource) allowed to access to
"/MyPath/MyServlet" resource via *GET* ??

3- is Admin(role not speficied for that web-resource) allowed to access to "/MyPath/MyServlet" resource via *POST* ??



Hi all,

I agree with Connie. Answers are

1) yes
2) No
3) Yes
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Coonie and Jaya, please could youo help me to figure it out?

just making it clear so..

1) this works fine because the other HTTP methods like POST were released since GET was constrained, right?

2) is this because "Admin" is not part of the auth-constraint tag (role-name) since the constrained resource is using GET method, right?

3) Because "admin" is not a member of role-name, and it�s not using GET method.


Tks in advance.
 
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta
 
Connie Ky Leung
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by shweta bulbule:
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta



I agree with the explaination of shweta bulbule.
The summary given is the essence of web security that should be memorized for the exam.
 
Connie Ky Leung
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by shweta bulbule:
the resource( specified in URL) using the method which is constrained (in our example GET) can be accessed only via (MEMBER) those who have the permission.
resource+GET+role Member=YES
resource+any method other than GET+any role= YES
resource+GET+any role other than Memebr=FALSE

correct me if i m wrong.

Thanks,
Shweta



Since <url-pattern> subelement <web-resource-collection> element is configured /MyPath/* in the example, I want to revise Shweta's explaination.

resource in MyPath directory of the web application +GET+role Member=YES
resource in MyPath directory of the web application+any method other than GET+any role= YES
resource in MyPath directory of the web application+GET+any role other than Memebr=FALSE

Please correct me if I am wrong.
 
Steven Colley
Ranch Hand
Posts: 290
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Connie and Shweta ,

Tks so much, it will help me a lot.

 
reply
    Bookmark Topic Watch Topic
  • New Topic