• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Web app security

 
Akhil Maharaj
Ranch Hand
Posts: 63
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All

This question is regarding the last question in Page 660 of HFSJ.

How do you constrain evertyhing with in foo/bar directory so that only ADMIN can invoke ANY http methods on those resources .

The answer given is :



My understanding is that
security-constraint defines the �http-methods� that can be performed on each �resource� given in web-resource-collection by users in each �role� given in auth-constraint . If no methods are mentioned , then everything is blocking .


So above answer should be ALL BLOCKING even for ADMIN . Please provide your thoughts on this

[ March 04, 2008: Message edited by: Akhil Maharaj ]
[ March 04, 2008: Message edited by: Akhil Maharaj ]
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Who are you quoting in that quote block? I don't think the quote is correct.
 
Anirban Basu
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you don't provide <http-method> that means all http methods are constrained. Those are blocked for unauthorized users but a user authorized as ADMIN can access any of the resources mentioned in url-pattern using any of the http methods.

So the answer given in HFJS is correct.

Cheers,
Anirban
 
Akhil Maharaj
Ranch Hand
Posts: 63
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for clarification
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic