• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Dueling auth-constraint elements

 
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,

have a question on web-app security...
when having more than one <security-constraint> elements in the DD with conflicts... the HFS book describes how the various conflicts can be resolved...
here is the DD..

<web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

the book discusses all combinations except this one ... one that allows all roles to request and one that allows none to access... though the DD may not make sense nevertheless it is one valid combination...
The HFS book says that an empty <auth-constraint/> has the final word but the next line says that --- "If one of the <security-constraint> elements has not <auth-constraint> element then it combines with anything else to allow access to all"...
so does the abv combination allow access to all roles or does it prevent access to all....

Regards
Simon

[ May 16, 2006: Message edited by: Roy Simon ]

[ May 16, 2006: Message edited by: Roy Simon ]
[ May 16, 2006: Message edited by: Roy Simon ]
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

<url-pattern>/me/Display/* </url-pattern>
<http-method>POST</http-method>



Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

Thanks
 
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
quote
"Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone."

Narendra <auth-constraint/> means no roles have access.
How come it does permit access to anyone for /me/Display/* due to <auth-constraint/> entry


Simon, you are right there are no comments in HFSJ on the combination of

<auth-constraint/> entry

along with

<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>


So, Still expecting a good answer from experts.

Regards

Gaurav
 
pie sneak
Posts: 4727
Mac VI Editor Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HFSJ shouldn't have to give that example because it says that an empty <auth-constraint/> always gets the final word.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Gaurav,

Sorry for the typo. I want to say

Assuming the url-pattern tag closed properly. The above web.xml entry does NOT permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

A single missing word really change the meaning of the statement.

Thanks
 
Gaurav Gambhir
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Marc & Narendra
So now I got it an empty <auth-constraint/> always gets the final word.
reply
    Bookmark Topic Watch Topic
  • New Topic