Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Declarative Secruity

 
Nikhil Jain
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello there,

Guys, does the concept that the declarative security model does not apply in case of include and forward actions. Thus, can an unprotected resource a call to a protected resource without having the user to login??

....
 
Nikhil Jain
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually I came thru the following question
Consider the web.xml snippet. (See exhibit)
In which of the following cases will the user be prompted for username/password?

Select 1 correct option.
a When the user clicks on a hyperlink displayed by <a href="/servlet/TestServlet">Test</a>

b When the user clicks on the submit button of a form starting with: <form action="/servlet/TestServlet" method="POST">

c For both a and b.
When there is no <http-method> element in <security-constraint>, all methods are protected.

d For neither of a or b.
<Code>
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>


</Code>

General Comments
This question is based on the concept that the declarative security model does not apply in case of include and forward actions. Thus, an unprotected resource can have a call to a protected resource without having the user to login.


I chose answer (d) because the question did not mention anything about <login-config>
<auth-method></auth-method>
<login-config>

Don't we need to put the above lines in web.xml for getting the auth work... What happens if we don't put the above lines & we have security-constraint> tag in web.xml. Will the authentication still work...
 
cheenu Dev
Ranch Hand
Posts: 276
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ya the declarative security does NOT apply in the case for
includes( req dispatcher, std action , directive) and forwards( req disp.,action)..
but in the ques its not clear...
can u specify where the ques was from??
 
Nikhil Jain
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This question was in the one of the mock of JWEB+. But what I don't get is that don't we need to use login-config>
<auth-method></auth-method>
<login-config>
to get the authentication work.. But there was no mention of the same in the question.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic