• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security

 
Sharath
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<security-constraint>
<web-resource-collection>
<web-resource-name>retail</web-resource-name>
<url-pattern>/acme/retail/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>CONTRACTOR</role-name>
<role-name>HOMEOWNER</role-name>
</auth-constraint>
</security-constraint>


Here there is no <http-method> element. This means that nobody can make a request to /acme/retail/* (even CONTRACTOR and HOMEOWNER or anyone who doesnt hav a role defined).

is this right ?

thnx in advance

rgds,
Sharath
 
Roy Simon
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
Yes dude i think u are right well atleast thats what the HFS book says....
"if there were not <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP methods are allowed by anyone in any role...".. well i too have the same interpretation as u \
Regards
Simon
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Sharath KM:
<security-constraint>
<web-resource-collection>
<web-resource-name>retail</web-resource-name>
<url-pattern>/acme/retail/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>CONTRACTOR</role-name>
<role-name>HOMEOWNER</role-name>
</auth-constraint>
</security-constraint>


Here there is no <http-method> element. This means that nobody can make a request to /acme/retail/* (even CONTRACTOR and HOMEOWNER or anyone who doesnt hav a role defined).

is this right ?

thnx in advance

rgds,
Sharath



Hi,

It will give access to CONTRACTOR and HOMEOWNER only for the /acme/retail/* resource for all the methods ( Definded in the resource). No other user can access this resource.

Thanks
 
Sharath
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Narendra,

i didnt get u. can u plz explain it once again ?
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

The auth-constraint apply to the combination of URL pattern + http method.
The access permission is granted to the user/roles definded in the <auth-constraint> for the combination of url pattern and http method. Here there is no http-method definded. so the access granted to URL Pattern + ALL http methods.

It is equivalent to



<url-pattern>/acme/retail/*</url-pattern>
<http-method>GET</hhtp-method>
<http-method>POST</hhtp-method>
<http-method>PUT</hhtp-method>
<http-method>TRACE</hhtp-method>
<http-method>HEAd</hhtp-method>
<http-method>OPTION</hhtp-method>
..... ALL HTTP METHODS ......


My point is that if no http-method specified, It assume that all the methods are constraints and give permission to only the role name defined in the <auth-constraint> sub-entry.

If you specify only one http-method say POST. Any user can access the resource without any authentication for the http-method other than POST. Even the container does not display your authentication screen for these methods as your resource is not secure for these methods. But for the POST method, the user must be authenticated and must be match to the role names specified in the <auth-constraint>.

Also you can access the resource, if the corresponding doXXX method defined in the servlet. If other methods in the Servlet other than POST is not implemented, then there is no use to apply constaint for all methods in most of cases as the default implementation throw exception.

Hope this help

Thanks
 
Sharath
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
thnx a lot narendra. i had this doubt for a very long time. but i asked it today. now i am clear with this. actually i had refered to errata long back and thr was a bit of confusion. anyways thnx.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic