Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security constraint : http-method

 
Andriy Fedotov
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Head First 1st Edition:

p. 634:
If there are no NO <http-method> elements it means that NO HTTP Methods are allowed by ANYONE in ANY role

p. 660
There's an example where no <http-method> is specified. There's a commentary: We left off <http-method> so that NO HTTP Methods are accessible by ANYONE except Admin (there's a <auth-constraint> with this role coming after <web-resource-collection>

So, does that mean that:
1) if I specify <http-method/> than no methods are allowed to anyone by any role, including the one that i specify in the <auth-constraint>
2) id I don't specify <http-method> at all than no methods are allowed to anyone except roles, specified in the <auth-constraint>
 
Musab Al-Rawi
Ranch Hand
Posts: 231
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if you don't specify any method that mean all Http methods are constrained.
if you specify method(s) then only those specified methods are constrained while others are not.
 
dhwani mathur
Ranch Hand
Posts: 621
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!!!


Now i am getting a bit more confused
can anyone please
ellaborate on the above........


SCJP(1.5),SCWCD(On the Way...)
Dhwani:>Winning is not important but it is the only thing.
 
Musab Al-Rawi
Ranch Hand
Posts: 231
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
the security constraint tag works as follows:
it defines the url-pattern and which methods to be constrained (constrained means that only specified roles can access the resource).
Example
if you specify <http-method>GET<http-method> on url-pattern say /beer/* that means that any user can issue POST http method on the resource without being logedin. but in order to issue a GET http method on the resource they have to belong to one of the specifed roles.

if you don't specify any methods then it means that you can't issue any http method (get, post, delete, put etc) unless you belong to one of the specified roles.
 
dhwani mathur
Ranch Hand
Posts: 621
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!!Thanks for reply

Originally posted by Musab Al-Rawi:
the security constraint tag works as follows:
it defines the url-pattern and which methods to be constrained (constrained means that only specified roles can access the resource).
Example
if you specify <http-method>GET<http-method> on url-pattern say /beer/* that means that any user can issue POST http method on the resource without being logedin. but in order to issue a GET http method on the resource they have to belong to one of the specifed roles.

if you don't specify any methods then it means that you can't issue any http method (get, post, delete, put etc) unless you belong to one of the specified roles.


now i am bit clear with it but still one doubt persist
that is you have specified



so now they have to belong to specified roles in order to
issue a http GET method..

does the same thing apply if i use POST method in tag?




one more thing you have mentioned is if we dont specify
any methods
than it means we cant issue any http method(get, post, delete, put etc) unless you belong to one of the specified roles?


Here dont specify you mean to say




Thanking you in advance.

SCJP(1.5),SCWCD(On the Way...)
Dhwani:>Winning is not important but it is the only thing.
 
Prem Kashyap
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<auth-constraint>
An authorization constraint establishes a requirement for authentication and
names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name �*� is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances.

If <auth-constraint> exists, the container must perform authentication for the associated URLS (specified in <url-pattern>
If <auth-constraint> exists but <role-name> element is not there, then NO USERS are allowed to access the <url-pattern> (whether <http-method> is there or not)

If no authorization constraint applies to a request, the container must accept the request without requiring user authentication. So this means anyone can access the constrained request.( which means anyone can access the request using the HTTP method specified in the <http-method> tag of the <web-resource-collection>

If NO <http-method> element is specified then NO HTTP methods are allowed by anyone in any role for that particular <url-pattern>.
Regards

Prem Kashyap
[ May 06, 2008: Message edited by: Prem Kashyap ]
 
Andriy Fedotov
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the answers.

So, am I right in this:

1.

<http-method>get</http-method>
<auth-constraint>admin</auth-constraint>

only admin have an access to get method, for other methods - everybody

2.

<http-method/>
<auth-constraint>admin</auth-constraint>

everybody have an access to all methods

3.

<!-- no <http-method> tag -->
<auth-constraint>admin</auth-constraint>

nobody, including admin have an access to any method
 
Prem Kashyap
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) Correct
2) Incorrect - An empty <http-method> is same as not specifying any <http-method>. So all http methods are constrained.
3) Correct - If you do not specify any <http-method>, then you are constraining ALL HTTP methods.

Regards

Prem Kashyap
 
Musab Al-Rawi
Ranch Hand
Posts: 231
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prem is correct sorry the previous post (I deleted so that i don't mislead anyone).
Security can be tricky!
 
Andriy Fedotov
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok, thank you for explanation
 
Jesus Barreto
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there someone that could help me with this question:

<security-constraint>
<web-resource-collection>
<web-resource-name>Foo</web-resource-name>
<url-pattern>/Bar/Baz/*</url-pattern>
<http_method>POST</http_method>
</web-resource-collection>
<security-role>
<role-name>DEVELOPER</role-name>
</security-role>
</security-constraint>

And given that "MANAGER" is a valid role-name, which four are true for this security constraint?(choose four)

A. MANAGER can do a GET on resources in the /Bar/Baz directory
B. MANAGER can do a POST on any resources in the /Bar/Baz directory
C. MANAGER can do a TRACE on any resources in the /Bar/Baz directory
D. DEVELOPER can do a GET on resources in the /Bar/Baz directory
E. DEVELOPER can do ONLY a POST on resources in the /Bar/Baz directory
F. DEVELOPER can do a TRACE on any resources in the /Bar/Baz directory

I guess that the correct answer is just A,C,E.

Am I correct?
 
Sarat Koduri
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I guess that the correct answer is just A,C,E.

Am I correct?


hi, Ofcourse those three are correct and apart from that Option D is also correct.

Developer can do Get also like any other role.

 
Sarat Koduri
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I guess that the correct answer is just A,C,E.

Am I correct?


Hi,
i rechecked the options and i gues the answer shud be A,C,D,F.
I Know what's going in your mind...!! the option E is wrong because Developer ofcourse can do POST but not only POST.

Here Developer has special rights to do POST along with that he has rights to do all other users rights.
 
Jesus Barreto
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I got it, thanks for you explanation, I'm agree with you the correct answer is A,C,D,F
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic