Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

About final mock exam question 10

 
Himai Minh
Ranch Hand
Posts: 1361
7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Question 10 of final exam:

You have determined that certain capabilities in your web application will require that users be registered members. In addition, your web application sometimes deals with users data that your users want you to keep confidential.
Which are true?
Option B. Of the various types of authentication guaranteed by a Java EE container, only BASIC, Digest, and Form Based are implemented by matching a user name to a password.
Option C. No matter what type of Java EE authentication mechanism you use, it will only be activated when an otherwise constrained resource is requested.


The correct answer provided is C.
But I think the correct answer is B instead.
Reason:
1. Basic, Digest and Form authentications are implemented by a username/password.
With Digest, username/password are used and the password is hashed according to session 13.6.2.
With HTTPS client authentication, the client presents a certificate to the server.
So, I think option B is correct as it says "only Basic, Digest and Form based are implemented by matching a username to a password.

2. "No matter what type of Java EE authentication mechanism you use, it will only be activated when an otherwise constrained resource is requested."
I think authentication mechanism is activated when the usernames / passwords are specified in a vendor specific deployment descriptor, such as tomcat-users.xml
Authorization mechanism is activated when security constraints are specified in web.xml
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2536
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But I think the correct answer is B instead.

It took me some time to figure this one out. I think that option B is wrong because of the word guaranteed. Digest authentication is not required to be supported by the EE container (the other two are).

I think authentication mechanism is activated when the usernames / passwords are specified in a vendor specific deployment descriptor,

No, authentication is activated by the <auth-constraint> element of the <security-constraint>.
 
Himai Minh
Ranch Hand
Posts: 1361
7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, Frits. Thanks for your response.

authentication is activated by the <auth-constraint> element of the <security-constraint>

I think that is authorization activated by <auth-constraint> element.

One more note:
From servlet 3.0 spec, section 13.6.2,
Servlet containers SHOULD to support HTTP_DIGEST authentication.

Does it mean it is mandatory for servlet 3.0 compliant container to support digest authentication?


 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2536
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think that is authorization activated by <auth-constraint> element.

Yes, the <auth-constraint> is the authorization constraint of a certain URL, but when there has not been any Authentication (e.g. first request on a protected URL), the container activates the authentication mechanism.

In terms of the Servlet specs: "An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests."


Does it mean it is mandatory for servlet 3.0 compliant container to support digest authentication?

Should is less strong as Must, so I would say no. However the book you are using was from the Servlet 2.4 era
From Servlet v2.4:
SRV.12.5.2 HTTP Digest Authentication
Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However the authentication is performed by transmitting the password in an encrypted form which is much more secure than the simple base64 encoding used by Basic Authentication, e.g. HTTPS Client Authentication. As Digest Authentication is not currently in widespread use, servlet containers are encouraged but not required to support it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic