• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Sharpen Your Pencil - PN 658

 
Ranch Hand
Posts: 77
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
On page no 658 of HFSJ question is something like this

You want to constrain evrything within the foo/bar directory so that only those with a security role of Admin can invoke ANY HTTP methods on those resources.

Ans given on PN 660 is


In answer <http-method> is missing...so acording to my understanding even Admin will not be able to make a call with any http method. Because all http-methods are constrained.

Am I right .......... wrong somewhere?

Thanks
Imran
 
Ranch Hand
Posts: 380
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
When http-method is missing it means all HTTP methods (Get,put,delete,trace etc) are constrained. That is only role ADMIN can access any of the above methods for the given resource identified by the url-pattern.

Rgds,
Shivani
 
Imran Vohra
Ranch Hand
Posts: 77
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
so, does not it mean that even for "Admin" also, all http-methods are constrained?

Thanks
Imran
 
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yup yup
If we don't specify <http-method> ,all the methods will be constrained . No one with any role will be able to access any of the http methods.
including admin also.
 
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I agree with salil.

I believe answer given on Page#660 is wrong. Authors please clarify !

The correct answer should be

--------------------------------------------------------------------------
"You want to constrain evrything within the foo/bar directory so that only those with a security role of Admin can invoke ANY HTTP methods on those resources".

code:
-------------------------------------------------------------------------

<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-rsource-name>
<url-pattern>/foo/bar/*</url-pattern>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

</security-constraint>

--------------------------------------------------------------------------
Authors please correct me if i am wrong!!
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
oh! sorry ,i forget to add http methods to above code

the correct code is :
--------------------------------------------------------------------
code:
-------------------------------------------------------------------------

<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-rsource-name>
<url-pattern>/foo/bar/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
<http-method>CONNECT</http-method>
<http-method>DELETE</http-method>
<http-method></http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

</security-constraint>

--------------------------------------------------------------------------
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In above code pls ignore the last empty http method
i.e.,<http-method></http-method>
 
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All
Answer mentioned by Shivani is correct i.e. in case no <http-method> is specified in web.xml then all the http menthods are constraint and only the defined role can access it.

I pasted the below mentioned code in web.xml and tried accessing the following url and it worked fine.
url: http://localhost:8080/SCWCD/selectBeer.do

<security-constraint>
<web-resource-collection>
<web-resource-name>amit</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>tomcat</role-name>
</auth-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
shivani & amit,

what do you think, whether answer given in Page#660 (HFSJ) is correct or not?

If not, what is the correct answer for that question? is the answer given by me is correct?

please clarify!!
 
Amit Tayal
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Navat
Answer given on P660 (HFSJ) is perfectly allright.

You can even achieve the same goal using your answer but it is not a good way of doing it.

Amit
 
reply
    Bookmark Topic Watch Topic
  • New Topic