Marcus Green exam: Dueling auth-constraint elements

This is Q6 of Marcus Green's first mock exam, together with the given answers:

<security-constraint> <web-resource-collection> <web-resource-name>Sensitive</web-resource-name> <url-pattern>/SecuredServlet</url-pattern> </web-resource-collection> <auth-constraint> </auth-constraint> <role-name>manager</role-name> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Sensitive</web-resource-name> <url-pattern>/SecuredServlet</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> Choose one answer. A. It is faulty becasue it has multiple security-constraint elements Incorrect B. It is faulty because it does not supply the http-method tag >> Incorrect The http-method tag is optional C. Only members of the manager role will be able to access the resource >> Incorrect D. Any user will be able to access the resource >> Correct The use of the wildcard * will override the explicit role declaration and give anyone access to the resource. E. No users will be able to access the resource >> Incorrect Although the first auth-constraint is empty, implying no one will have access to the resource, this is cancelled out by the second auth-constraint that will allow anyone to access the resource.

But according to HFSJ, p.639 (1st ed.), rule 3, 'E' is the right answer, because an empty auth-constraint tag overrules everything.

I also tried it myself, and indeed an empty auth-constraint tag will always deny access. It doesn't even bother to authenticate!

Btw, apart from the above, the Marcus Green exam is excellent and well recommended!

[ August 01, 2008: Message edited by: Jan Sterk ]
[ August 01, 2008: Message edited by: Jan Sterk ]

I think E is correct answer according to HFSJ.
[ August 03, 2008: Message edited by: Chintu sirivennela ]

Hi,

Let me clear you on this
empty tag means which doesn't have any body,so the following might be empty tags
<tag /> or <tag></tag> .Even if you have space between opening and ending tag also that will be considered as body.
Here if you observe the <auth-constraint> tag is declared with a carraige return,so it doesn't be considered as an empty tag.
Correct me if i am wrong.

Vijaya, I think all white space is ignored in any XML. Please check the answers (last sentence) that are included in the code block above. It says that the first auth-constraint tag is empty.
[ August 04, 2008: Message edited by: Jan Sterk ]