Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Conflicting Security Constraints

 
Daniel Spritzer
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let's say you have two different security constraints on the same resource:

<auth-constraint/>
which should allow access to no one.

and

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
which should allow access to everyone. (or you could have no auth-constraint listed at all).

Do ALL users get access to this resource or do NO users get access to the resource. HFSJ is not clear about this.

Thanks
Daniel
 
Shiraz Khan
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Logically speaking, since this is a securtiy constraint so putting a constraint over all the roles will take priority over giving access to all the roles.
 
Daniel Spritzer
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shiraz, that's my first instinct as well. However, i'm sure you'd agree, there are many topics that don't follow normal logic.
 
Musab Al-Rawi
Ranch Hand
Posts: 231
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Daniel,

if there is a rule that doesn't allow access to anyone it will over rule other rules on the same resource.

if there isn't such a rule then take the union.

Musab
 
Durga Prasad Vuyyuru
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

If there is a <auth-constraint/> and you did not kept any thing between the tag, then no user will be able to access that constrained resource(if there is another <auth-constraint> with some users then also, this rule is applicable.)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic