Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

If http-method is not specified, then nobody can access the resource ?

 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please let me know if the below sentence is true

If we do not specify <http-method> inside <security-constraint> then NO one can access the resource provided in the <url-pattern> irrespective of the content of <auth-constraint>
 
swapna rao
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If we do not specify <http-method> inside <security-constraint> then NO one can access the resource provided in the <url-pattern> irrespective of the content of <auth-constraint>


Your statement is wrong.
If you don not specify http-method , then by default all HTTP methods will be constrained.
For example:
<security-constraint>
<web-resource-collection>
<web-resource-name>a</web-resource-name>
<url-pattern>/Testsample</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

In this example only users with role as "managers" will be able to make any HTTP requests(GET,POST,HEAD,PUT,TRACE,OPTIONS,DELETE) on the resource Testsample.Other users will not be able to make any HTTP request on the resource Testsample.
If no <auth-constraint> is present in the above case,everyone will given access the make any HTTP request on Testsample.
If empty <auth-constraint/> is present in above case, no body will be able to make any HTTP request on Testsample.

Please anyone correct me,if I'm wrong.
 
Khadija Lokhandwala
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
Swapna,That is correct.
If no <http-method> is specified in <web-resource-collection> element, then all the HTTP Methods are restrained and only roles mentioned in <auth-constraint> can access those resources.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic