Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Sharpen Your Pencil - PN 658

 
Imran Vohra
Ranch Hand
Posts: 77
Chrome Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On page no 658 of HFSJ question is something like this

You want to constrain evrything within the foo/bar directory so that only those with a security role of Admin can invoke ANY HTTP methods on those resources.

Ans given on PN 660 is


In answer <http-method> is missing...so acording to my understanding even Admin will not be able to make a call with any http method. Because all http-methods are constrained.

Am I right .......... wrong somewhere?

Thanks
Imran
 
Shivani Chandna
Ranch Hand
Posts: 380
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
When http-method is missing it means all HTTP methods (Get,put,delete,trace etc) are constrained. That is only role ADMIN can access any of the above methods for the given resource identified by the url-pattern.

Rgds,
Shivani
 
Imran Vohra
Ranch Hand
Posts: 77
Chrome Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so, does not it mean that even for "Admin" also, all http-methods are constrained?

Thanks
Imran
 
salil verma
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yup yup
If we don't specify <http-method> ,all the methods will be constrained . No one with any role will be able to access any of the http methods.
including admin also.
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree with salil.

I believe answer given on Page#660 is wrong. Authors please clarify !

The correct answer should be

--------------------------------------------------------------------------
"You want to constrain evrything within the foo/bar directory so that only those with a security role of Admin can invoke ANY HTTP methods on those resources".

code:
-------------------------------------------------------------------------

<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-rsource-name>
<url-pattern>/foo/bar/*</url-pattern>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
<http-method></http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

</security-constraint>

--------------------------------------------------------------------------
Authors please correct me if i am wrong!!
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
oh! sorry ,i forget to add http methods to above code

the correct code is :
--------------------------------------------------------------------
code:
-------------------------------------------------------------------------

<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-rsource-name>
<url-pattern>/foo/bar/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
<http-method>CONNECT</http-method>
<http-method>DELETE</http-method>
<http-method></http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>

</security-constraint>

--------------------------------------------------------------------------
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In above code pls ignore the last empty http method
i.e.,<http-method></http-method>
 
Amit Tayal
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All
Answer mentioned by Shivani is correct i.e. in case no <http-method> is specified in web.xml then all the http menthods are constraint and only the defined role can access it.

I pasted the below mentioned code in web.xml and tried accessing the following url and it worked fine.
url: http://localhost:8080/SCWCD/selectBeer.do

<security-constraint>
<web-resource-collection>
<web-resource-name>amit</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>tomcat</role-name>
</auth-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
 
navat venu
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
shivani & amit,

what do you think, whether answer given in Page#660 (HFSJ) is correct or not?

If not, what is the correct answer for that question? is the answer given by me is correct?

please clarify!!
 
Amit Tayal
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Navat
Answer given on P660 (HFSJ) is perfectly allright.

You can even achieve the same goal using your answer but it is not a good way of doing it.

Amit
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic