This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Little Book of Impediments (e-book only) and have Tom Perry on-line!
See this thread for details.
Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authorisation related

 
Simran Dass
Ranch Hand
Posts: 183
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


"BY MISTAKE I posted this question in the forum - HTML and javascript".Please remove it from there but not from here "


Suppose the DD has two roles defined - Admin and User.
Suppose there are two <security-constraint> elements in th DD. Both constrain the same
resource. One of them DOES NOT have a <auth-constraint> element.

The web.xml
-------------------




<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>SS</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityQ</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>


<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>user</role-name></security-role>




When I requested /mini/yes in Tomcat 5.5 it did NOT ask for any authentication i.e.
it allows unauthenticated access to all the roles. There is a similar question in Katy Sierra Mock Exam (2nd Edition) - Q 30 . According to the Errata , only "user" role should be allowed access . WHY?


The Servlet Spec says ( which is not very clear ) :-

SRV 12.8.1
--------------
"A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access."



My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2536
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Simran,

My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others


There are two possibilities:
  • <security-constraint> with NO <auth-constraint> combined with <security-constraint> with <auth-constraint></auth-constraint> means NOBODY has access
  • <security-constraint> with NO <auth-constraint> combined with any other <security-constraint> means EVERYBODY has access

  • Regards,
    Frits
     
    Abimaran Kugathasan
    Ranch Hand
    Posts: 2066
    Clojure IntelliJ IDE Linux
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    With your constraints, every one can access the resources. And further, can you post the K&B's book question?
     
    Simran Dass
    Ranch Hand
    Posts: 183
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Thankyou.

    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL " .
     
    Frits Walraven
    Creator of Enthuware JWS+ V6
    Saloon Keeper
    Pie
    Posts: 2536
    113
    Android Chrome Eclipse IDE
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    And does everybody here mean "CONTAINER WILL NOT DO AUTHENTICATION AT ALL "

    Yes it does.

    Regards,
    Frits
     
    Simran Dass
    Ranch Hand
    Posts: 183
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Thaks a lot Frits
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic