• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

security roles  RSS feed

 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

This question is from HFSJ final mock exam.

Your web application has a valid deployment descriptor in which student and
sensei are the only security roles that have been defined. The deployment
descriptor contains two security constraints that declare the same resource to
be constrained. The first security constraint contains:
234. <auth-constraint>
235. <role-name>student</role-name>
236. </auth-constraint>
And the second security constraint contains:
251. <auth-constraint/>
Which are true? (Choose all that apply.)
A. As the deployment descriptor stands now, the constrained resource can
be accessed by both roles.
B. As the deployment descriptor stands now, the constrained resource can
be accessed only by sensei users.
C. As the deployment descriptor stands now, the constrained resource can
be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained
resource can be accessed only by student users.



The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The given answer is right (i.e., option D). The default behavior if auth-constraint tag is not provided is every one can access the resource. So option D is correct.



Regards,
Seeta
 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Seeta,

Thanks for replying to my post.

The default behavior if auth-constraint tag is not provided is every one can access the resource.



This above statement is correct only if none of the role-name present inside auth-constraint tag.
but Optin D states if only the second security constraint tag is removed we still have first security role. hence I suspect option D is not correct.

When two different non-empty <auth-constraint> elements apply to the same constrained resource,
access is granted to the union of all roles from both of the <auth-constraint> elements



Thanks
Shobhan
 
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Shobhan Ganta wrote:The correct answer given is option D.

But I guess it should be option F? Can someone please explain?

Thanks
Shobhan



Hi Shobhan,

You are absolutely right.

Check out the Errata webpage for the book.
This is what the authors have to say:
"Remove the checkmark from Option D and put it on Option F."
 
Shobhan Ganta
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Nidhi for confirming.
 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So Does that mean there is error on page 671 of new book having following text:

Dueling <auth-constraint> elements:
A and B refer to two <security-constraint> elements partially of fully overlapping <web-resource-collection>


Contents of A: No <auth-constraint> element
Content of B: <auth-constraint>Admin</auth-constraint>

In above case, book says Everybody has access to 'UpdateRecipes'

If there is errata in above mock question then Is this also wrong in the book?
Or there is something wrong in my understanding??
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No Isha, the book is right:

lack of <auth-constraint> means ALLOW ANYBODY to access given resource (+http method of course).
<auth-constraint> with one (or more) roles means ONLY those specified can access given resource.

So if any of the constraints EXPLICITLY grant you access (first tag) you have that access, UNLESS there's an EMPTY <auth-constraint> that is always winning forbidding access, no matter how many other constraints would give you access

Remember: empty <auth-constraint> is the opposite of LACK of it!

Hope it's clear
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!