About Question enthuware.ocejws.v6.2.220 :

Moderators: Site Manager, fjwalraven

Post Reply
himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

About Question enthuware.ocejws.v6.2.220 :

Post by himaiMinh »

For option 1

Code: Select all

@ApplicationPath("jax")
@Path("rs")
public class AdditionService extends Application{
   
 @RolesAllowed("student")
 @GET
 @Path("/add/{num1}/{num2}")
 public String addp(....) {...}

}
It is not an EJB, but we can still define the role-based security in web.xml when the resource class is deployed.
The web.xml can be:

Code: Select all

 <web-app>
                  ...
           <web-resource-collection>
                  <url-pattern>/jax/rs/add/*</url-pattern>
                  <http-method>GET</http-method>
           </web-resource-collection>
            <auth-constraint>
                       <role-name>student</role-name>
            </auth-constraint>
Any comments?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.220 :

Post by fjwalraven »

True, but I want to emphasize on the (role-based) annotations in this question.

What I meant by
"Assume that there is a security constraint in the web deployment descriptor that allows "student" and "teacher" to access the URL"
is the following constraint:

Code: Select all

<security-constraint>
   <web-resource-collection>
      <web-resource-name>secure addition</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>student</role-name>
      <role-name>teacher</role-name>
   </auth-constraint>
</security-constraint>
Would it be better to put that constraint in the problem statement?

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.220 :

Post by himaiMinh »

Thanks for the explanation.
I understand it now. I miss the point that there is actually a web.xml that has already specified the roles of students and teachers.

In option 1, if AdditionService (a servlet-based resource class) is deployed, the @RolesAllowed won't do anything because @RolesAllowed is only used by EJB 3, but not servlet.

Also, in EJB based web service, the role-based annotations are addition to those security defined in web.xml.

Using an example to compare role-based security annotation and role-based security in web.xml:
1. @RoleAllowed in a specific method is to specify the fine-grained role based security. That means, to specify the role based security of a particular method.
2. Using web.xml is to specify the general role based security. For example, specify who can access to all the @GET methods.

Any comments?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.220 :

Post by fjwalraven »

1. @RoleAllowed in a specific method is to specify the fine-grained role based security. That means, to specify the role based security of a particular method.
Yes, fine-grained, method-based security
2. Using web.xml is to specify the general role based security. For example, specify who can access to all the @GET methods.
Yes, coarse-grained, URL-based security

Regards,
Frits

Post Reply

Who is online

Users browsing this forum: No registered users and 24 guests