mock question on security

Hi, I can't understand the response of this mock test from Ethunware(V4 -Standard Test 2 - Question 31 )


Consider the web.xml snippet shown in the exhibit.

<web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/jsp/protected.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint> ... </web-app>

Now consider the code for a jsp file named unprotected.jsp:

<html> <body> <jsp:include page="/jsp/protected.jsp" /> </body> </html>


Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?

Select 1 correct option.
A.The user will be prompted to enter user name and password
B.An exception will be thrown
C.protected.jsp will be executed but it's output will not be included in the response
D.The call to include will be ignored
E.None of these

ANS : E

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.

The important rule to follow here is that security only applies to requests coming from the client (browser). It doesn't apply to requests that are forwarded or included.

Regards,
Frits

Thanks Frits! I thought so, but are there any way to give security to the server side request? I think, there is no need of doing it?

I thought so, but are there any way to give security to the server side request? I think, there is no need of doing it?

Not in the Servlet 2.4 specs, but you can always add programmatic security if you want to add extra functionality.

Regards,
Frits

Frits Walraven wrote:

I think the answer should be B, because it is attempting to access unauthorized resource. Can someone explain this?
Thanks a lot.

The important rule to follow here is that security only applies to requests coming from the client (browser). It doesn't apply to requests that are forwarded or included.

Regards,
Frits

I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.

Could you please more explain why E is the correct answer?

I think, there is no need of declarative security for server side request. We can do it by programmatic security. Please confirm this!

jsp:include is a static include, it happens only once not with every request. So there is no point in securing it using user roles.

Malika what Frits is trying to say here is the security constraint will apply if the user directly tries to access /jsp/protected.jsp. In the question the user is accessing unprotected.jsp and unprotected.jsp will include /jsp/protected.jsp. So the server side include will not be authorized...

Ankit Garg wrote:So the server side include will not be authorized...

Ankit, I couldn't understand this! You mean, there is no restrictions for server side requests? Please elaborate it.

Thanks!

Malika,

I am sorry Frits, I still don't understand how to respond to this question. What I see is that we have a "manager" user that tries to access /jsp/protected.jsp
I still don't see what Forwarding or including have to do with this.

It seems Ankit and my response didn't solve your question. Let me try to explain it in another way.

There is a security constraint defined on /jsp/protected.jsp, so if we try to access it like (assume MyWebApp is the context root of your webapp): http://localhost:8080/MyWebApp/jsp/protected.jsp the server will check the last part of the URL /jsp/protected.jsp against all the security constraints defined in the web.xml. It will find a constraint and only allow managers to access it.

There is no security constraint defined on /jsp/unprotected.jsp, so if we access it like http://localhost:8080/MyWebApp/jsp/unprotected.jsp the server will check /jsp/unprotected.jsp against all the security constraints defined in the web.xml and won't find any. Hence it will allow the request to be delivered at the jsp.
The server will not check any content of the jsp or Servlet, meaning that if that jsp includes or forwards to another jsp (or the Servlet does a forward to or include of another Servlet) it won't be taken into account.

See also the spec:

SRV.12.2 Declarative Security
The security model applies to the static content part of the web application
and to servlets and filters within the application that are requested by the client.
The security model does not apply when a servlet uses the RequestDispatcher to
invoke a static resource or servlet using a forward or an include.

Does this make things clearer?

Regards,
Frits

This is a typo in the specifications of this question...


The question shuould be:


Now Consider the coide for jsp file named unprotected.jsp
<html><body> <jsp:include file="unprotected.jsp"/> </body></html>

Which of the following statements hold true when unprotected.jsp is requested by an unauthorized user?

be careful there are two ways to include a file in a jsp:

Static include (happens once)
<%@include file="/jsp/unprotected.jsp"%> and a dynamic include (happens for every request)
<jsp:include page="/jsp/unprotected.jsp" />

Regards,
Frits