Win a copy of The Business Blockchain this week in the Cloud forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question on http-method in security-constraint

 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Guys,

What if I don't have any http-method tag under my security-constraint? This would mean that I cannot do any HTTP method against the resource that I'm protecting? Would this be done in any real time scenario?
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This would mean that I cannot do any HTTP method against the resource that I'm protecting ?

No, that would mean that you put some constraints on all HTTP methods, and that only an authorized user could access it.
It is meant to be used in conjunction with auth-constraint.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So that means not specifying any <http-method> is as good as specifying all of them. Am I right Satou?
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Imagine I have the following DD configuration,

<security-constraint>

<web-resource-collection>
<web-resource-name>Sample</web-resource-name>
<url-pattern>/test.jsp</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>Manager</role-name>
</auth-constraint>

</security-constraint>

Now, in the above example, I have not included any <http-method>. So does this mean that a Manager is not allowed to do any method against test.jsp?
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So does this mean that a Manager is not allowed to do any method against test.jsp?

No, it means that only a Manager is able to (on any methods). Other users trying to access the page via GET, POST or whatever will be rejected.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, I got this now. Thanks for the help Satou!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic