Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Dueling auth-constraint elements

 
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,

have a question on web-app security...
when having more than one <security-constraint> elements in the DD with conflicts... the HFS book describes how the various conflicts can be resolved...
here is the DD..

<web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

the book discusses all combinations except this one ... one that allows all roles to request and one that allows none to access... though the DD may not make sense nevertheless it is one valid combination...
The HFS book says that an empty <auth-constraint/> has the final word but the next line says that --- "If one of the <security-constraint> elements has not <auth-constraint> element then it combines with anything else to allow access to all"...
so does the abv combination allow access to all roles or does it prevent access to all....

Regards
Simon

[ May 16, 2006: Message edited by: Roy Simon ]

[ May 16, 2006: Message edited by: Roy Simon ]
[ May 16, 2006: Message edited by: Roy Simon ]
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

<url-pattern>/me/Display/* </url-pattern>
<http-method>POST</http-method>



Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

Thanks
 
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
quote
"Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone."

Narendra <auth-constraint/> means no roles have access.
How come it does permit access to anyone for /me/Display/* due to <auth-constraint/> entry


Simon, you are right there are no comments in HFSJ on the combination of

<auth-constraint/> entry

along with

<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>


So, Still expecting a good answer from experts.

Regards

Gaurav
 
pie sneak
Posts: 4727
Mac VI Editor Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HFSJ shouldn't have to give that example because it says that an empty <auth-constraint/> always gets the final word.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Gaurav,

Sorry for the typo. I want to say

Assuming the url-pattern tag closed properly. The above web.xml entry does NOT permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

A single missing word really change the meaning of the statement.

Thanks
 
Gaurav Gambhir
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Marc & Narendra
So now I got it an empty <auth-constraint/> always gets the final word.
 
If I had asked people what they wanted, they would have said faster horses - Ford. Tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic