• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

mock question on security

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I can't understand the response of this mock test from Ethunware(V4 -Standard Test 2 - Question 31 )


Consider the web.xml snippet shown in the exhibit.



Now consider the code for a jsp file named unprotected.jsp:




Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?

Select 1 correct option.
A.The user will be prompted to enter user name and password
B.An exception will be thrown
C.protected.jsp will be executed but it's output will not be included in the response
D.The call to include will be ignored
E.None of these


ANS : E

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.
 
Creator of Enthuware JWS+ V6
Posts: 3285
296
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.


The important rule to follow here is that security only applies to requests coming from the client (browser). It doesn't apply to requests that are forwarded or included.

Regards,
Frits
 
Ranch Hand
Posts: 2066
IntelliJ IDE Clojure Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Frits! I thought so, but are there any way to give security to the server side request? I think, there is no need of doing it?
 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3285
296
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I thought so, but are there any way to give security to the server side request? I think, there is no need of doing it?


Not in the Servlet 2.4 specs, but you can always add programmatic security if you want to add extra functionality.

Regards,
Frits

 
Malika Ben Aziz
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Frits Walraven wrote:

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.


The important rule to follow here is that security only applies to requests coming from the client (browser). It doesn't apply to requests that are forwarded or included.

Regards,
Frits


I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.

Could you please more explain why E is the correct answer?
 
Abimaran Kugathasan
Ranch Hand
Posts: 2066
IntelliJ IDE Clojure Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think, there is no need of declarative security for server side request. We can do it by programmatic security. Please confirm this!
 
Sheriff
Posts: 9643
42
Android Google Web Toolkit Hibernate IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
jsp:include is a static include, it happens only once not with every request. So there is no point in securing it using user roles.

Malika what Frits is trying to say here is the security constraint will apply if the user directly tries to access /jsp/protected.jsp. In the question the user is accessing unprotected.jsp and unprotected.jsp will include /jsp/protected.jsp. So the server side include will not be authorized...
 
Abimaran Kugathasan
Ranch Hand
Posts: 2066
IntelliJ IDE Clojure Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ankit Garg wrote:So the server side include will not be authorized...



Ankit, I couldn't understand this! You mean, there is no restrictions for server side requests? Please elaborate it.

Thanks!
 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3285
296
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Malika,

I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.


It seems Ankit and my response didn't solve your question. Let me try to explain it in another way.

There is a security constraint defined on /jsp/protected.jsp, so if we try to access it like (assume MyWebApp is the context root of your webapp): http://localhost:8080/MyWebApp/jsp/protected.jsp the server will check the last part of the URL /jsp/protected.jsp against all the security constraints defined in the web.xml. It will find a constraint and only allow managers to access it.

There is no security constraint defined on /jsp/unprotected.jsp, so if we access it like http://localhost:8080/MyWebApp/jsp/unprotected.jsp the server will check /jsp/unprotected.jsp against all the security constraints defined in the web.xml and won't find any. Hence it will allow the request to be delivered at the jsp.
The server will not check any content of the jsp or Servlet, meaning that if that jsp includes or forwards to another jsp (or the Servlet does a forward to or include of another Servlet) it won't be taken into account.

See also the spec:

SRV.12.2 Declarative Security
The security model applies to the static content part of the web application
and to servlets and filters within the application that are requested by the client.
The security model does not apply when a servlet uses the RequestDispatcher to
invoke a static resource or servlet using a forward or an include.



Does this make things clearer?

Regards,
Frits
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is a typo in the specifications of this question...


The question shuould be:


Now Consider the coide for jsp file named unprotected.jsp


Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?
 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3285
296
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
be careful there are two ways to include a file in a jsp:

Static include (happens once)
and a dynamic include (happens for every request)


Regards,
Frits
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!