You are tasked with adding several security features to your company's Java EE web application.Specifically, you need to create several classes of users and based on a user's class, you need to restrict them to use only some of the application's pages. In order to restrict access, you must determine that users are who they say they are.
Which are true?
A. If you need to verify that users are who they say they are, you must use the application's deployment descriptor to implement that requirement.
The given answer says option A is incorrect because
you can also perform authentication programmatically.
I think option A is correct.
1. I don't think authentication is performed programmatically. The isUserInRole checks the authenticated user if he/she is in a role. Or the getCallerPrincipal gets the username of the authenticated user.
2. In Tomcat, we use the vendor specific deployment descriptor , tomcat-users.xml to specify the username/password in order to authenticate the user.
I don't think authentication is performed programmatically.
You can always develop an authentication implementation yourself without the use of the web.xml. (the deployment descriptor for declarative authentication and authorization).
It just involves checking out whether someone is, in fact, who he is declared to be. You can add specific HTTP headers to the request and verify the user credentials (username, password, role) on the server side from a coupled database.