Authorisation related

Ranch Hand

Posts: 183

posted 14 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

"BY MISTAKE I posted this question in the forum - HTML and javascript".Please remove it from there but not from here "

Suppose the DD has two roles defined - Admin and User.
Suppose there are two <security-constraint> elements in th DD. Both constrain the same
resource. One of them DOES NOT have a <auth-constraint> element.

The web.xml
-------------------

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>SS</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityQ</web-resource-name>
<url-pattern>/mine/yes</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>

<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>user</role-name></security-role>

When I requested /mini/yes in Tomcat 5.5 it did NOT ask for any authentication i.e.
it allows unauthenticated access to all the roles. There is a similar question in Katy Sierra Mock Exam (2nd Edition) - Q 30 . According to the Errata , only "user" role should be allowed access . WHY?

The Servlet Spec says ( which is not very clear ) :-

SRV 12.8.1
--------------
"A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access."

My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others

Frits Walraven

Creator of Enthuware JWS+ V6