About Question enthuware.jwpv6.2.645 :
Moderator: admin
-
- Posts: 5
- Joined: Sun Jan 05, 2014 6:19 pm
- Contact:
About Question enthuware.jwpv6.2.645 :
Why a user must be in employee role to access /dynamic seeing as the explanation says that is unrestricted?
I think the answer is
"A user must be in employee role to access /secureDynamic but not /dynamic through HTTP POST method".
I think the answer is
"A user must be in employee role to access /secureDynamic but not /dynamic through HTTP POST method".
-
- Site Admin
- Posts: 10326
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.645 :
No, the given answer is correct because the given deployment descriptor restricts only POST method (not GET, which is what is being asked in the question.).
HTH,
Paul.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Thu Apr 09, 2015 12:32 pm
- Contact:
Re: About Question enthuware.jwpv6.2.645 :
Shouldn't the last line in the code restrict the GET access to "/secureDynamic" url to only "employee" role?
Is it additive (Deploy Descriptor combine Dynamic code)?
*** Please Ignore this post, explanations have the answer ***
If a URL pattern of this ServletRegistration is an exact target of a security-constraint that was established via the portable deployment descriptor, then this method does not change the security-constraint for that pattern, and the pattern will be included in the return value.
Code: Select all
sd.addMapping("/secureDynamic");
*** Please Ignore this post, explanations have the answer ***
If a URL pattern of this ServletRegistration is an exact target of a security-constraint that was established via the portable deployment descriptor, then this method does not change the security-constraint for that pattern, and the pattern will be included in the return value.
-
- Posts: 358
- Joined: Fri Nov 29, 2013 8:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.645 :
Hi,
for the first option "A user must be in employee role to access /dynamic but not /secureDynamic using any HTTP method.
Access to both urls using HTTP POST is restricted only to the role "employee".
I think access to /dynamic , GET method is restricted to employee according to the ServletContextListener.
Access to /secureDynamic, POST method is restricted to employee, according to the dd.
But accessing to /dynamic's POST method is not restricted.
for the first option "A user must be in employee role to access /dynamic but not /secureDynamic using any HTTP method.
Access to both urls using HTTP POST is restricted only to the role "employee".
I think access to /dynamic , GET method is restricted to employee according to the ServletContextListener.
Access to /secureDynamic, POST method is restricted to employee, according to the dd.
But accessing to /dynamic's POST method is not restricted.
-
- Site Admin
- Posts: 10326
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.645 :
As per Section 13.4.2 of Servlet 3.1 specification:
HTH,
Paul.
Here, url-pattern /secureDynamic is present in the DD and the DD restricts only its POST method to employee. Therefore, the calls to setServletSecurity on the ServletRegistration for this pattern will have no effect. Hence, the restriction to GET imposed by the java code will not be effective.When a security-constraint in the portable deployment descriptor includes a url-pattern that is an exact match for a pattern mapped by a ServletRegistration, calls to setServletSecurity on the ServletRegistration must have no effect on the constraints enforced by the Servlet container on the pattern.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 5
- Joined: Thu Nov 02, 2017 1:33 am
- Contact:
Re: About Question enthuware.jwpv6.2.645 :
I am very confused. Please help..
The explanation given in the 1st wrong answer says
"Access to both the urls using HTTP POST is restricted only to the role "employee".
While explanation given for correct answer says:
"Security information specified dynamically cannot override the security configuration specified in the deployment descriptor. Here, the descriptor restricts only POST method on /secureDynamic. Other methods are unrestricted. "
Which one is correct? So if the call to setServletSecurity has no effect then there is no restriction on accessing /dynamic. Then 1st explanation is wrong. Isnt?
The explanation given in the 1st wrong answer says
"Access to both the urls using HTTP POST is restricted only to the role "employee".
While explanation given for correct answer says:
"Security information specified dynamically cannot override the security configuration specified in the deployment descriptor. Here, the descriptor restricts only POST method on /secureDynamic. Other methods are unrestricted. "
Which one is correct? So if the call to setServletSecurity has no effect then there is no restriction on accessing /dynamic. Then 1st explanation is wrong. Isnt?
-
- Site Admin
- Posts: 10326
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.645 :
In this case, the DD doesn't explicitly restrict or unrestrict access to other method. So a servlet code is free to apply access rights to these dynamically.
If you like our products and services, please help us by posting your review here.
Who is online
Users browsing this forum: No registered users and 1 guest