Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

http method in web app security

 
Jyothi Pathuri
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everybody,

A method is specified in <http-method> element in <web-resource-collection> then, authentication be asked only if a request comes with that method. If no method is specified in <http-method> then does it mean that no resource can be accessed in that web-app. Please clarify me on this point.
 
Jyothi Pathuri
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
does that mean that authentication will be asked for every method?
 
Madhu Sudhana
Ranch Hand
Posts: 127
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<auth-method/> --->this means no method can access that resource
no <auth-method> means any method can be used
 
Jyothi Pathuri
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
does that mean that authentication will be asked for every method?
 
Gaurav Gambhir
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<http-method> describe which HTTP method are restricted for the resource.
if we put one i.e GET it means only GET is constrained but anyone in any role can access POST.
so once you specify even a single <http-method> you automatically enable any HTTP methods which you have not specified.

Now HTTP methods wont work in a servlet unless you�ve overridden the doXXX() method so if you have only doGet() in your servlet and you specify an <http-method> element for only GET, nobody can do a POST anyway, because the server knows you donot support POST.
 
Madhu Sudhana
Ranch Hand
Posts: 127
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if there is no <auth-method>

we are explicitly informing to the container that no method is constrained

this means for all the methods authentication is not required.
[ May 07, 2006: Message edited by: sudhana madhu ]
 
Saurabh Chaubey
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jyothi,

If you do not specify any <http-method> element than the resources with the given <url-pattern> would be constrained for all the HTTP methods.On the other hand if you do specify a <http-method> element but do not specify any HTTP method (e.g. <http-method></http-method> than all the HTTP methods would have an Unconstrained access to the specified resources.

Also if you specify this element for any one kind of HTTP method than only that method is constrained while others are Unconstrained.

I hope this clears your doubt.

Regards,
Saurabh
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic