• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Weird doubt on security

 
Ranch Hand
Posts: 44
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
I was going through the security chapter 12 of HFSJ and got a weird as it get doubt on duelling <auth-constraint> elements.
I was wondering what if we have two <security-constraint> tags for the same <url-pattern> or overlapping one as they say with the following:
<auth-constraint/> in one
and
<auth-contraint>
<role-name>*</role-name> which is same as no <auth-contraint> tag at all
</auth-contraint>

Thanks & Regards,
Abhishek
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Union of All and None should be None (i.e. nobody allowed).
 
Author
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My first point would be: have you tried this to see what happens? What output did you get from your trial?

Secondly, you would find the answer very easily by looking at the Servlet specs.; p.98 would sort you.

I strongly dislike the statement "the union of all and none is none"... mathematically speaking (from set theory) this is completely inaccurate: the union of all and none (the empty set) is all. The intersection of all and none is none. The use of "union" in this context is therefore misleading; instead, the Servlet spec. goes with "combine".

Lastly...

<auth-constraint/> in one
and
<auth-contraint>
<role-name>*</role-name> which is same as no <auth-contraint> tag at all
</auth-contraint>

Using * is not the same as using no constraint at all: the use of * means the resource(s) is/are "constrained to all authenticated users". The absence of a constraint means the resource(s) is/are available "to all users, regardless of whether they're authenticated [logged in] or not".
 
Won't you please? Please won't you be my neighbor? - Fred Rogers. Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic