security roles

Hi,

This question is from HFSJ final mock exam.

Your web application has a valid deployment descriptor in which student and
sensei are the only security roles that have been defined. The deployment
descriptor contains two security constraints that declare the same resource to
be constrained. The first security constraint contains:
234. <auth-constraint>
235. <role-name>student</role-name>
236. </auth-constraint>
And the second security constraint contains:
251. <auth-constraint/>
Which are true? (Choose all that apply.)
A. As the deployment descriptor stands now, the constrained resource can
be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can
be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can
be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by student users.

The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan

The given answer is right (i.e., option D). The default behavior if auth-constraint tag is not provided is every one can access the resource. So option D is correct.



Regards,
Seeta

Hi Seeta,

Thanks for replying to my post.

The default behavior if auth-constraint tag is not provided is every one can access the resource.

This above statement is correct only if none of the role-name present inside auth-constraint tag.
but Optin D states if only the second security constraint tag is removed we still have first security role. hence I suspect option D is not correct.

When two different non-empty <auth-constraint> elements apply to the same constrained resource,
access is granted to the union of all roles from both of the <auth-constraint> elements

Thanks
Shobhan

Shobhan Ganta wrote:The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan

Hi Shobhan,

You are absolutely right.

Check out the Errata webpage for the book.
This is what the authors have to say:
"Remove the checkmark from Option D and put it on Option F."

Thanks Nidhi for confirming.

So Does that mean there is error on page 671 of new book having following text:

Dueling <auth-constraint> elements:
A and B refer to two <security-constraint> elements partially of fully overlapping <web-resource-collection>


Contents of A: No <auth-constraint> element
Content of B: <auth-constraint>Admin</auth-constraint>

In above case, book says Everybody has access to 'UpdateRecipes'

If there is errata in above mock question then Is this also wrong in the book?
Or there is something wrong in my understanding??

No Isha, the book is right:

lack of <auth-constraint> means ALLOW ANYBODY to access given resource (+http method of course).
<auth-constraint> with one (or more) roles means ONLY those specified can access given resource.

So if any of the constraints EXPLICITLY grant you access (first tag) you have that access, UNLESS there's an EMPTY <auth-constraint> that is always winning forbidding access, no matter how many other constraints would give you access

Remember: empty <auth-constraint> is the opposite of LACK of it!

Hope it's clear