Last week, we had the author of TDD for a Shopping Website LiveProject. Friday at 11am Ranch time, Steven Solomon will be hosting a live TDD session just for us. See for the agenda and registration link
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

Mock question about <auth-constraint>

 
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This question is from Marcus Green's mock exam:

Which statements are true of the following snippet of a deployment descriptor.

<security-constraint>
<web-resource-collection>
<web-resource-name>Sensitive</web-resource-name>
<url-pattern>/SecuredServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
<role-name>manager</role-name>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Sensitive</web-resource-name>
<url-pattern>/SecuredServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

Choose one answer.
A. It is faulty becasue it has multiple security-constraint elements
B. It is faulty because it does not supply the http-method tag
C. Only members of the manager role will be able to access the resource
D. Any user will be able to access the resource
E. No users will be able to access the resource


I had answered E, but the correct answer given is D. The explanation is : "Although the first auth-constraint is empty, implying no one will have access to the resource, this is cancelled out by the second auth-constraint that will allow anyone to access the resource. "

Is this right?


 
Bartender
Posts: 543
4
Netbeans IDE Redhat Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
an empty auth-constraint has precedence. It appears there is a problem with that first auth-constraint, because the role-name is outside the auth-constraint element. I think the manager role should be within the first auth-constraint element, and then it would be true that any user would have access. It appears as an error in the code, and a faulty explanation.

EDIT:
Quoted from Head First Servlets & JSP pg 671:

An empty <auth-constraint> tag combines with anything else to allow access to nobody! In other words, an empty <auth-constraint> is always the final word!

 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Dieter Quickfend wrote:an empty auth-constraint has precedence. It appears there is a problem with that first auth-constraint, because the role-name is outside the auth-constraint element.


Thanks Dieter, that's what I thought too.

The only reason I thought that the "empty auth-constraint trumps all" rule might not apply here is, that the <web-resource-name> of both web-resource-collection elements is identical. Haven't seen that before, so I thought that might skew the results somehow.

Unlike servlet-name, are web-resource-name elements allowed to be duplicate?

 
Dieter Quickfend
Bartender
Posts: 543
4
Netbeans IDE Redhat Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah, good find, hadn't realized that. I believe the web-resource-name wouldn't influence the behaviour of the auth-constraint. As far as I know, it is used only for recognition by GUI-tools.
 
It sure was nice of your sister to lend us her car. Let's show our appreciation by sharing this tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic