• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

<auth-constraint>

 
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Inside <security-constraint> element
what would be result for a combination of these 2 <security-constraint> elements:

<security-constraint>
...
<auth-constraint>
<role-name >*</role-name> //Everybody
</auth-constraint>
</security-constraint>

<security-constraint>
...
<auth-constraint>
</auth-constraint> //nobody
...
</security-constraint>
 
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi..........

I think that no user is allowed to access, since the spec says: "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."

so when there is condition like nobody and everybody-->nobody........

am i correct....if wrong please correct me
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes,

<auth-constraint></auth-constraint>
or
<auth-constraint/>

means that NO USER is allowed access to the resouce outlined in the <web-resource-collection> element;
however, it does not restrict other resources within the same application from accessing the resource.

Please also note: The "*" will allow access to all role names defined in the deployment descriptor

Also, some folks have been asking for sources so this is direct from SUN:

An authorization constraint establishes a requirement for authentication and names the roles authorized to access the URL patterns and HTTP methods declared by this security constraint. If there is no authorization constraint, the container must accept the request without requiring user authentication. If there is an authorization constraint, but no roles are specified within it, the container will not allow access to constrained requests under any circumstances. The wildcard character * can be used to specify all role names defined in the deployment descriptor. Security roles are discussed in Working with Security Roles.



http://docs.sun.com/app/docs/doc/819-3669/bncbk?a=view
 
Live a little! The night is young! And we have umbrellas in our drinks! This umbrella has a tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic