Win a copy of AWS Security this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

Head First Mock Exam 37

 
Ranch Foreman
Posts: 1906
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Question 37 of the mock exam:


You are tasked with adding several security features to your company's Java EE web application.Specifically, you need to create several classes of users and based on a user's class, you need to restrict them to use only some of the application's pages. In order to restrict access, you must determine that users are who they say they are.
Which are true?
A. If you need to verify that users are who they say they are, you must use the application's deployment descriptor to implement that requirement.
...


The given answer says option A is incorrect because

you can also perform authentication programmatically.



I think option A is correct.
Reason:
1. I don't think authentication is performed programmatically. The isUserInRole checks the authenticated user if he/she is in a role. Or the getCallerPrincipal gets the username of the authenticated user.
2. In Tomcat, we use the vendor specific deployment descriptor , tomcat-users.xml to specify the username/password in order to authenticate the user.
 
Creator of Enthuware JWS+ V6
Posts: 3346
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I don't think authentication is performed programmatically.


You can always develop an authentication implementation yourself without the use of the web.xml. (the deployment descriptor for declarative authentication and authorization).

It just involves checking out whether someone is, in fact, who he is declared to be. You can add specific HTTP headers to the request and verify the user credentials (username, password, role) on the server side from a coupled database.
 
The City calls upon her steadfast protectors. Now for a tiny ad:
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic