This week's book giveaway is in the Spring forum.
We're giving away four copies of Spring in Action (5th edition) and have Craig Walls on-line!
See this thread for details.
Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

security roles  RSS feed

 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

This question is from HFSJ final mock exam.

Your web application has a valid deployment descriptor in which student and
sensei are the only security roles that have been defined. The deployment
descriptor contains two security constraints that declare the same resource to
be constrained. The first security constraint contains:
234. <auth-constraint>
235. <role-name>student</role-name>
236. </auth-constraint>
And the second security constraint contains:
251. <auth-constraint/>
Which are true? (Choose all that apply.)
A. As the deployment descriptor stands now, the constrained resource can
be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can
be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can
be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by student users.



The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The given answer is right (i.e., option D). The default behavior if auth-constraint tag is not provided is every one can access the resource. So option D is correct.



Regards,
Seeta
 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Seeta,

Thanks for replying to my post.

The default behavior if auth-constraint tag is not provided is every one can access the resource.



This above statement is correct only if none of the role-name present inside auth-constraint tag.
but Optin D states if only the second security constraint tag is removed we still have first security role. hence I suspect option D is not correct.

When two different non-empty <auth-constraint> elements apply to the same constrained resource,
access is granted to the union of all roles from both of the <auth-constraint> elements



Thanks
Shobhan
 
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Shobhan Ganta wrote:The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan



Hi Shobhan,

You are absolutely right.

Check out the Errata webpage for the book.
This is what the authors have to say:
"Remove the checkmark from Option D and put it on Option F."
 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Nidhi for confirming.
 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So Does that mean there is error on page 671 of new book having following text:

Dueling <auth-constraint> elements:
A and B refer to two <security-constraint> elements partially of fully overlapping <web-resource-collection>


Contents of A: No <auth-constraint> element
Content of B: <auth-constraint>Admin</auth-constraint>

In above case, book says Everybody has access to 'UpdateRecipes'

If there is errata in above mock question then Is this also wrong in the book?
Or there is something wrong in my understanding??
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No Isha, the book is right:

lack of <auth-constraint> means ALLOW ANYBODY to access given resource (+http method of course).
<auth-constraint> with one (or more) roles means ONLY those specified can access given resource.

So if any of the constraints EXPLICITLY grant you access (first tag) you have that access, UNLESS there's an EMPTY <auth-constraint> that is always winning forbidding access, no matter how many other constraints would give you access

Remember: empty <auth-constraint> is the opposite of LACK of it!

Hope it's clear
 
You know it is dark times when the trees riot. I think this tiny ad is their leader:
Download Free Java APIs to Work with Office Files and PDF
htttp://www.e-iceblue.com/free-apis.html
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!