Dueling auth-constraint elements

hi,

have a question on web-app security...
when having more than one <security-constraint> elements in the DD with conflicts... the HFS book describes how the various conflicts can be resolved...
here is the DD..

<web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

the book discusses all combinations except this one ... one that allows all roles to request and one that allows none to access... though the DD may not make sense nevertheless it is one valid combination...
The HFS book says that an empty <auth-constraint/> has the final word but the next line says that --- "If one of the <security-constraint> elements has not <auth-constraint> element then it combines with anything else to allow access to all"...
so does the abv combination allow access to all roles or does it prevent access to all....

Regards
Simon

[ May 16, 2006: Message edited by: Roy Simon ]

[ May 16, 2006: Message edited by: Roy Simon ]
[ May 16, 2006: Message edited by: Roy Simon ]

Hi,

<url-pattern>/me/Display/* </url-pattern>
<http-method>POST</http-method>

Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

Thanks

quote
"Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone."

Narendra <auth-constraint/> means no roles have access.
How come it does permit access to anyone for /me/Display/* due to <auth-constraint/> entry


Simon, you are right there are no comments in HFSJ on the combination of

<auth-constraint/> entry

along with

<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>


So, Still expecting a good answer from experts.

Regards

Gaurav

HFSJ shouldn't have to give that example because it says that an empty <auth-constraint/> always gets the final word.

Hi Gaurav,

Sorry for the typo. I want to say

Assuming the url-pattern tag closed properly. The above web.xml entry does NOT permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

A single missing word really change the meaning of the statement.

Thanks

Thanks Marc & Narendra
So now I got it an empty <auth-constraint/> always gets the final word.