Question 30 - Final mock exam HFSJ

The question is

Your web application has a valid DD in which student and sensei are the only security roles that have been defined. The DD contains two security constraints that declare the same resource to be constrained. The first security constraint contains:

<auth-constraint> <role-name>student</role-name> </auth-constraint>

And the second security constraint contains

<auth-constraint />

Which are true? (Choose all that apply.)

A. As the DD stands now, the constrained resource can be accessed by both roles.
B. As the DD stands now, the constrained resource can be accessed only be sensei users.
C. As the DD stands now, the constrained resource can be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by student users.

The answer given is D.

I think the answer should be E, as removing the second auth-constraint means all users are no longer restricted, but students are still restricted to the resource, therefore only sensei users can access it. Please tell me if I'm correct?

Again here also you are confusing the meaning of <auth-constraint> tag. See This.
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
does NOT mean that the given request on the given resource is restricted for student role. It means that the given request on the given resource is restricted for roles OTHER THAN student.

Thank you Piyush, I had it mixed up obviously.

As per me the answer should be F.
Correct me if I am wrong..

No its wrong..
Remember that if there is no auth-constraint tag then every role is allowed.

First auth-constraint says students are allowed
If second auth-constraint tag is removed then it will mean that every role is allowed.
Therefore the combined effect of these two will be that every role will be allowed.

Things to remember:
Role1 + Role2 = Role1 and Role2
Role1 + everybody = everybody
Role1 + nobody = nobody

Then it is good to correct the errata because someone reported the same mistake(wrong correction).

And this proposition even got approved
Errata - Page 843 Question 30

Yes the errata should be corrected.

Servlet 3.0 specification section 13.8 says:

If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication.

also in the HFSJ book at page 668 it's mentioned as:

If an <auth-constraint> does NOT exist, the Container MUST allow unauthenticated access for these URLs.

Then for combining constraints:

Servlet 3.0 Specification section 13.8.1 says:

A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access.

From this, its clear that the option D is correct.

But how to correct the errata? Should another errata be raised to correct it?

I have seen many duplicate reports, so I suppose that there is not established process of editing the existing posts.
Even though we might ask o'reilly for any case.