Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Mock question -- on security

 
Tiffiny Yang
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Given the following incomplete extract from a deployment descriptor, what are possible ways of accessing the protected resource named TheCheckedServlet? (Choose three.)
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>bigwig</role-name>
</auth-constraint>
</security-constraint>
A.Via another URL pattern (if one is set up elsewhere within the deployment descriptor).
B.Any authenticated user can access the resource.
C.Any user (authenticated or not) can access the resource.
D.Via RequestDispatcher.include().
E.Via RequestDispatcher.forward().
F.Via the URL pattern /CheckedServlet, provided the user is authenticated and has bigwig as a valid role.

The answer is A D E.
Can somebody explain to me why?

Thanks in advance
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A. If you've got another mapping pointing to TheCheckedServlet, but which is not declared in a security-constraint, you will be able to access it.
For example :


D. E. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.
 
Mirko Bonasorte
Ranch Hand
Posts: 244
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to everybody,
why not the F choice?
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
F is not correct because the special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded. So the first setting overrides the second.
 
Tiffiny Yang
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Satou !!!

I've tried using forward() method to invoke the secured servlet. You're right about it.

Thanks again.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic