Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Dueling auth-constraint elements

 
Roy Simon
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,

have a question on web-app security...
when having more than one <security-constraint> elements in the DD with conflicts... the HFS book describes how the various conflicts can be resolved...
here is the DD..

<web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Something</web-resource-name>
<url-pattern>/me/Display/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

the book discusses all combinations except this one ... one that allows all roles to request and one that allows none to access... though the DD may not make sense nevertheless it is one valid combination...
The HFS book says that an empty <auth-constraint/> has the final word but the next line says that --- "If one of the <security-constraint> elements has not <auth-constraint> element then it combines with anything else to allow access to all"...
so does the abv combination allow access to all roles or does it prevent access to all....

Regards
Simon

[ May 16, 2006: Message edited by: Roy Simon ]

[ May 16, 2006: Message edited by: Roy Simon ]
[ May 16, 2006: Message edited by: Roy Simon ]
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

<url-pattern>/me/Display/* </url-pattern>
<http-method>POST</http-method>


Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

Thanks
 
Gaurav Gambhir
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
quote
"Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone."

Narendra <auth-constraint/> means no roles have access.
How come it does permit access to anyone for /me/Display/* due to <auth-constraint/> entry


Simon, you are right there are no comments in HFSJ on the combination of

<auth-constraint/> entry

along with

<auth-constraint> ///this or is this tag is not included at all...
<role-name>*</role-name>
</auth-constraint>


So, Still expecting a good answer from experts.

Regards

Gaurav
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HFSJ shouldn't have to give that example because it says that an empty <auth-constraint/> always gets the final word.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Gaurav,

Sorry for the typo. I want to say

Assuming the url-pattern tag closed properly. The above web.xml entry does NOT permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

A single missing word really change the meaning of the statement.

Thanks
 
Gaurav Gambhir
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Marc & Narendra
So now I got it an empty <auth-constraint/> always gets the final word.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic