Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Frederic Esnaul Revision notes

 
Mamadou Touré
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Folks,

I think there is a confusion in the Frederic Esnault revision notes posted in this site ( http://esnault.frederic.free.fr/certification/scwcd_notes.pdf ) in the chapter 12 regarding the security.
In the Authentication part, Frederic was talking about security constraint, and in the authorization he's talking about BASIC, DIGEST, CLIENT-CERT and FORM (this should be related to authentication I think).
He did the opposite .
Please Could someone (a bartender for example) check it ?
[ January 01, 2009: Message edited by: Mamadou Tour� ]
 
Phillipe Eduardo Lemos
Greenhorn
Posts: 7
C++ Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mamadou Tour�

It's wrong. He mixes the concepts of authentication and authorization, and
in the first part of chapter 12 he didn't describe the conceptions listed.

I didn't see the benefits of use the securety-role-ref in the document.(see last paragraph of pag. 91 of servlet specification 2.4 or pag. 87 of servlet specification 2.5).

He has mentioned that restrictions were applied to request made outside the webapp. But he didn't mention when the container didn't apply the security model . "The security model doesn't apply when a servlet uses the RequestDispacher to invoke a static resource or servlet using a include or a forward." (See sevlet specicifaction session 12.2)

In session auth-constraint combinations, he mentioned that list of users, but the correct word is role, because we don't apply constraint to a user.

When he described the programatic authentication he mentioned three methods of HttpServletRequest interface. The title it's not programatic authentication, but programatic security. And the use
of getUserPrincipal provide the principal name of current user and returns java.security.Principal object.

In session Confidentiality he puts :

<security-constraint>
<transport-guarantee>...</transport-guarantee>
</security-constraint>

It's wrong. The transport garantee is a nested tag under <user-data-constrant>. This tag is responsible for constrain request be recived over a protected transport layer connection
(see servlet spec 2.4 on session 12.8 or servlet spec 2.5 session 12.7)

<security-constraint>
<web-resource-collection>
<url-pattern>...</url-pattern>
...

<http-method>...</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>...</role-name>
</auth-constraint>


<user-data-constrant>
<transport-guarantee>...</transport-guarantee>
</user-data-constrant>

</security-constraint>

The conception of value NONE it's incomplete.
NONE - indicates that the container must accept the constrained request whe recived on any connection including unprotected one.


Regards
Phillipe Lemos
 
Mamadou Touré
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Phillipe Eduardo ,

So for those like me who want to use this document, BE CAREFUL.

Regards
 
Christian Nicoll
Ranch Hand
Posts: 132
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this little errata
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic