I think there is a confusion in the Frederic Esnault revision notes posted in this site ( http://esnault.frederic.free.fr/certification/scwcd_notes.pdf ) in the chapter 12 regarding the security. In the Authentication part, Frederic was talking about security constraint, and in the authorization he's talking about BASIC, DIGEST, CLIENT-CERT and FORM (this should be related to authentication I think). He did the opposite . Please Could someone (a bartender for example) check it ? [ January 01, 2009: Message edited by: Mamadou Tour� ]
SCJP 5 (76%)
SCWCD 5 (86%)
"The greatest glory in living lies not in never falling, but in raising every time we fall.".. Nelson Mandela
It's wrong. He mixes the concepts of authentication and authorization, and in the first part of chapter 12 he didn't describe the conceptions listed.
I didn't see the benefits of use the securety-role-ref in the document.(see last paragraph of pag. 91 of servlet specification 2.4 or pag. 87 of servlet specification 2.5).
He has mentioned that restrictions were applied to request made outside the webapp. But he didn't mention when the container didn't apply the security model . "The security model doesn't apply when a servlet uses the RequestDispacher to invoke a static resource or servlet using a include or a forward." (See sevlet specicifaction session 12.2)
In session auth-constraint combinations, he mentioned that list of users, but the correct word is role, because we don't apply constraint to a user.
When he described the programatic authentication he mentioned three methods of HttpServletRequest interface. The title it's not programatic authentication, but programatic security. And the use of getUserPrincipal provide the principal name of current user and returns java.security.Principal object.
It's wrong. The transport garantee is a nested tag under <user-data-constrant>. This tag is responsible for constrain request be recived over a protected transport layer connection (see servlet spec 2.4 on session 12.8 or servlet spec 2.5 session 12.7)