Win a copy of AWS Security this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

About final mock exam question 10

 
Ranch Foreman
Posts: 1906
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Question 10 of final exam:


You have determined that certain capabilities in your web application will require that users be registered members. In addition, your web application sometimes deals with users data that your users want you to keep confidential.
Which are true?
Option B. Of the various types of authentication guaranteed by a Java EE container, only BASIC, Digest, and Form Based are implemented by matching a user name to a password.
Option C. No matter what type of Java EE authentication mechanism you use, it will only be activated when an otherwise constrained resource is requested.


The correct answer provided is C.
But I think the correct answer is B instead.
Reason:
1. Basic, Digest and Form authentications are implemented by a username/password.
With Digest, username/password are used and the password is hashed according to session 13.6.2.
With HTTPS client authentication, the client presents a certificate to the server.
So, I think option B is correct as it says "only Basic, Digest and Form based are implemented by matching a username to a password.

2. "No matter what type of Java EE authentication mechanism you use, it will only be activated when an otherwise constrained resource is requested."
I think authentication mechanism is activated when the usernames / passwords are specified in a vendor specific deployment descriptor, such as tomcat-users.xml
Authorization mechanism is activated when security constraints are specified in web.xml
 
Creator of Enthuware JWS+ V6
Posts: 3346
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

But I think the correct answer is B instead.


It took me some time to figure this one out. I think that option B is wrong because of the word guaranteed. Digest authentication is not required to be supported by the EE container (the other two are).

I think authentication mechanism is activated when the usernames / passwords are specified in a vendor specific deployment descriptor,


No, authentication is activated by the <auth-constraint> element of the <security-constraint>.
 
Himai Minh
Ranch Foreman
Posts: 1906
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, Frits. Thanks for your response.


authentication is activated by the <auth-constraint> element of the <security-constraint>


I think that is authorization activated by <auth-constraint> element.

One more note:
From servlet 3.0 spec, section 13.6.2,

Servlet containers SHOULD to support HTTP_DIGEST authentication.


Does it mean it is mandatory for servlet 3.0 compliant container to support digest authentication?


 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3346
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I think that is authorization activated by <auth-constraint> element.


Yes, the <auth-constraint> is the authorization constraint of a certain URL, but when there has not been any Authentication (e.g. first request on a protected URL), the container activates the authentication mechanism.

In terms of the Servlet specs: "An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests."


Does it mean it is mandatory for servlet 3.0 compliant container to support digest authentication?


Should is less strong as Must, so I would say no. However the book you are using was from the Servlet 2.4 era
From Servlet v2.4:

SRV.12.5.2 HTTP Digest Authentication
Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However the authentication is performed by transmitting the password in an encrypted form which is much more secure than the simple base64 encoding used by Basic Authentication, e.g. HTTPS Client Authentication. As Digest Authentication is not currently in widespread use, servlet containers are encouraged but not required to support it.

 
Sasparilla and fresh horses for all my men! You will see to it, won't you tiny ad?
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic