• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Webapp Security

 
Khp Virajith
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everybody, I've got 02 questions.Pls help me to get clarified them.

[Q1]

<security-constraint>

<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

</security-constraint>


A part of a web.xml(deployment descriptor) is given above. As far as I know <auth-constraint> is optional and if we haven't used an <auth-constraint> element inside <security-constraint> element that paricular resource(combination of httpmethod + url pattern) can be accessed by everybody. So accroding to the above web.xml(deployment descriptor) everybody can access that particular resource even without being authenticated. Since what is the point of creating a security constraint without <auth-constraint>?[since it doesn't do anything what its name implies without <auth-constrain>] I would be grateful if anybody can explain it since I'm a newcomer to SCWCD world.


[Q2]
<web-app>

<!-- Assume that required servlet+servlet mappings are here -->

<security-constraint>

<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint/>

</security-constraint>



<security-constraint>

<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/data/foo.doo</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>*</auth-constraint>

</security-constraint>

<!-- Assume that required servlet+servlet mappings are here -->

</web-app>


A part of a web.xml(Deplyment Descriptor) is given above. According to the above piece of tags I think that everybody can access that paricular resource(combination of httpmethod + url pattern). Is it wrong? If so explain it pls...

Regards,
VIRAJ
 
Siddharth Purandare
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Viraj,

I will try to answer your 2 questions:


Q1. what is the point of creating a security constraint without <auth-constraint>?

Ans: If you dont use the <auth-constraint> element then anybody can make the request [but in a constrained way] for the resources specified by the <url-pattern> and <http-method> combination BUT if you specify <auth-constraint> element then ONLY the <role-name> specified inside it can make a constrained request.

Anyways your resources are requested/served in a constrained way even if you dont specify the <auth-constraint> element.

Q.2
Answer: Whenever you see 2 empty >auth-constraint> elements remember the golden rule "ACCESS IS GRANTED TO THE UNION OF ALL ROLES FROM BOTH THE <auth-constraint> ELEMENTS"

I hope I am able to Justify my Answer.
 
Sayak Banerjee
Ranch Hand
Posts: 292
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Q1. what is the point of creating a security constraint without <auth-constraint>?

Ans: If you dont use the <auth-constraint> element then anybody can make the request [but in a constrained way] for the resources specified by the <url-pattern> and <http-method> combination BUT if you specify <auth-constraint> element then ONLY the <role-name> specified inside it can make a constrained request.

It's not in a constrained way....absence of <auth-constraint> means unauthenticated access....
In the servlet spec. (page 97) it says:
An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests.

And its a very easy thing to try out and confirm it yourself.



Q.2
Answer: Whenever you see 2 empty >auth-constraint> elements remember the golden rule "ACCESS IS GRANTED TO THE UNION OF ALL ROLES FROM BOTH THE <auth-constraint> ELEMENTS"


This holds good for 2 non-empty <auth-constraint> sub-elements...whenever an empty <auth-constraint> sub-element is present in any one of the <security-constraint> elements the result is no access to nobody for the common constrained resources.
In the spec(page 98) it says:
The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.

[ December 11, 2006: Message edited by: Sayak Banerjee ]
 
Siddharth Purandare
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Sayak for the clarification....
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic