Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

web resource collection doubt

 
Brijesh shah
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Ranchers;

In <web resource collection> if we don't specify any http method then ALL methods will be constrained Means any role name defined in <auth-constraint> can access any method like get post put .....

Is it true....

Please correct me if i'm wrong...And would aprreciate if anyone can explain me in brief meaning of constraints in "<web resource collection> if we don't specify any http method then ALL methods will be constrained"

Thanks & Regards;
Brijesh Shah
 
siyabonga khanyile
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was still studying that part as well and i find it a bit tricky.
There are a couple of scenarios that are possible here.

1. If you don't specify any http-method then it means all the methods will be constrained and can only be accessed by people specified in <role-name>
(but again if you didn specify any auth-contraint then the methods will still be accessible to anyone)

2. If you specify any method, say POST, then it means only POST requests will be constrained the rest wil be available. So this means POSTs can only be done by poeple specified in <role-name>, but everyone else can still have access to other methods like GET..

Not sure if I answered your question.
 
Brijesh shah
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello;

It would be great if someone elaborate on this topic...

Thanking you in advance

Regards;
Brijesh
 
Satya Maheshwari
Ranch Hand
Posts: 368
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let's take an example



Here we have secured GET request to /TestServlet. If GET ws not specified, all requests would be unsecured. The we have an authorisation constraint which specifies that the constraints apply on the role 'Tomcat' i.e. only when you need to access /TestServlet using GET, you should be in having the credentials of 'Tomcat'. Since we have secured a resource(/TestServlet), there must be some authentication mechanism, which is specified as BASIC in login config. Also we have created a security role called 'Tomcat'. This is necessary as we have used this role in our security constraint. If it was not created, the resource will not be secured. You can go through http://java.boot.by/wcd-guide/ch05.html for more details.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic