Question 30 - Final mock exam HFSJ
Paul Statham
Ranch Hand
Posts: 60
1
posted 5 years ago
The question is
The answer given is D.
I think the answer should be E, as removing the second auth-constraint means all users are no longer restricted, but students are still restricted to the resource, therefore only sensei users can access it. Please tell me if I'm correct?
Your web application has a valid DD in which student and sensei are the only security roles that have been defined. The DD contains two security constraints that declare the same resource to be constrained. The first security constraint contains:
And the second security constraint contains
Which are true? (Choose all that apply.)
A. As the DD stands now, the constrained resource can be accessed by both roles.
B. As the DD stands now, the constrained resource can be accessed only be sensei users.
C. As the DD stands now, the constrained resource can be accessed only by student users.
D. If the second <auth-constraint> tag is removed, the constrained resource can be accessed by both roles.
E. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by sensei users.
F. If the second <auth-constraint> tag is removed, the constrained resource can be accessed only by student users.
The answer given is D.
I think the answer should be E, as removing the second auth-constraint means all users are no longer restricted, but students are still restricted to the resource, therefore only sensei users can access it. Please tell me if I'm correct?
posted 5 years ago
Again here also you are confusing the meaning of <auth-constraint> tag. See This.
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
does NOT mean that the given request on the given resource is restricted for student role. It means that the given request on the given resource is restricted for roles OTHER THAN student.
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
does NOT mean that the given request on the given resource is restricted for student role. It means that the given request on the given resource is restricted for roles OTHER THAN student.
Piyush
Paul Statham
Ranch Hand
Posts: 60
1
posted 5 years ago
No its wrong..
Remember that if there is no auth-constraint tag then every role is allowed.
First auth-constraint says students are allowed
If second auth-constraint tag is removed then it will mean that every role is allowed.
Therefore the combined effect of these two will be that every role will be allowed.
Things to remember:
Role1 + Role2 = Role1 and Role2
Role1 + everybody = everybody
Role1 + nobody = nobody
Remember that if there is no auth-constraint tag then every role is allowed.
First auth-constraint says students are allowed
If second auth-constraint tag is removed then it will mean that every role is allowed.
Therefore the combined effect of these two will be that every role will be allowed.
Things to remember:
Role1 + Role2 = Role1 and Role2
Role1 + everybody = everybody
Role1 + nobody = nobody
Piyush
Stoian Azarov
Ranch Hand
Posts: 113
posted 5 years ago
Then it is good to correct the errata because someone reported the same mistake(wrong correction).
And this proposition even got approved
Errata - Page 843 Question 30
And this proposition even got approved
Errata - Page 843 Question 30
posted 5 years ago
Yes the errata should be corrected.
Servlet 3.0 specification section 13.8 says:
also in the HFSJ book at page 668 it's mentioned as:
Then for combining constraints:
Servlet 3.0 Specification section 13.8.1 says:
From this, its clear that the option D is correct.
But how to correct the errata? Should another errata be raised to correct it?
Servlet 3.0 specification section 13.8 says:
If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication.
also in the HFSJ book at page 668 it's mentioned as:
If an <auth-constraint> does NOT exist, the Container MUST allow unauthenticated access for these URLs.
Then for combining constraints:
Servlet 3.0 Specification section 13.8.1 says:
A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access.
From this, its clear that the option D is correct.
But how to correct the errata? Should another errata be raised to correct it?
Piyush
