About Question enthuware.jwpv6.2.888 :
Moderator: admin
About Question enthuware.jwpv6.2.888 :
I understand the answer to this question, but in a book that I read (OCEJWCD Styudy Companion - OCE Java EE Web Component Developer, Charles Lyons, Third Edition) I found the following description:
"A declaration of the form <role-name>*</role-name> means 'grant access to an authenticated user or any role'. This does imply that the user has already been authenticated." => this explains the usage of a * in the role-name element as a child of auth-constraint.
"Omitting all <role-name> elements, or indeed the parent <auth-constraint>, means 'grant access to anyone, authenticated or not'. ... The users doesn't even have to have been authenticated." => this is in total contradiction to the answer ETS is giving for this question?
What is now really the solution for this question? The book is quite new (2012) and makes a good impression, but also ETS gives good explanations and makes a good impression - can you help me?
Thanks a lot.
"A declaration of the form <role-name>*</role-name> means 'grant access to an authenticated user or any role'. This does imply that the user has already been authenticated." => this explains the usage of a * in the role-name element as a child of auth-constraint.
"Omitting all <role-name> elements, or indeed the parent <auth-constraint>, means 'grant access to anyone, authenticated or not'. ... The users doesn't even have to have been authenticated." => this is in total contradiction to the answer ETS is giving for this question?
What is now really the solution for this question? The book is quite new (2012) and makes a good impression, but also ETS gives good explanations and makes a good impression - can you help me?
Thanks a lot.
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.888 :
Both are correct. The given question does not have any role-name with * in the auth-constraint element. It is empty. <auth-constraint></auth-constraint> is not same as <auth-constraint><role-name>*</role-name></auth-constraint>
Also, whenever in doubt, consult the specification. Many questions, such as this one, specify the relevant section of the specification.
HTH,
Paul.
Also, whenever in doubt, consult the specification. Many questions, such as this one, specify the relevant section of the specification.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
Re: About Question enthuware.jwpv6.2.888 :
Found the following:
Servlet 3.0 13.8.1 Combining Constraints
The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.
=> no one will have access to the constrained resource.
The book stated: "Omitting all role-elements, ..., means 'grant access to anyone, authenticaed or not' ... The user doesn't even have to have been authenticated"
=> this is in contradiction to the servlet specification, so I think the book is wrong and the answer to the question is correct.
Servlet 3.0 13.8.1 Combining Constraints
The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.
=> no one will have access to the constrained resource.
The book stated: "Omitting all role-elements, ..., means 'grant access to anyone, authenticaed or not' ... The user doesn't even have to have been authenticated"
=> this is in contradiction to the servlet specification, so I think the book is wrong and the answer to the question is correct.
-
- Posts: 1
- Joined: Fri Jul 05, 2013 2:46 am
- Contact:
Re: About Question enthuware.jwpv6.2.888 :
I'm sorry but i can't understand why the right answer is "No user, authenticated or not, can access the resource...". I think that any user can access the recourse since there is only POST constraint.
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.888 :
Did you read the explanation provided with the option?grafviktor wrote:I'm sorry but i can't understand why the right answer is "No user, authenticated or not, can access the resource...". I think that any user can access the recourse since there is only POST constraint.
There is an emtpy auth-constraint in the given code.An auth-constraint that does not specify any role means that no role will be able to access the resource. This overrides any other security constraint containing the same web-resource-collection. In other words, in case of two security constraints containing same web-resource-collection, where one allows access to some roles in its auth-constraint and another one contains an empty auth-constraint (note that auth-constraint tag must be present and empty), no role will be able to access that web-resource-collection.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 9
- Joined: Mon Nov 04, 2013 7:49 am
- Contact:
Re: About Question enthuware.jwpv6.2.888 :
Hi, on the Explanation I think there's a typo on the version of the specification and the section.
The version is 3.0, not 2.4 (although 2.4 might be valid, the simulator is for the 3.0 exam). And the section is 13.8.1, not 12.8.1
The version is 3.0, not 2.4 (although 2.4 might be valid, the simulator is for the 3.0 exam). And the section is 13.8.1, not 12.8.1
-
- Posts: 5
- Joined: Sun Jan 05, 2014 6:19 pm
- Contact:
Re: About Question enthuware.jwpv6.2.888 :
I think the answer must say:
"No user, authenticated or not, can access the resource identified by the given web-resource-collection through POST method."
I guess any user can access the resource through other methods.
"No user, authenticated or not, can access the resource identified by the given web-resource-collection through POST method."
I guess any user can access the resource through other methods.
-
- Site Admin
- Posts: 10036
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.888 :
No, the option says "...by the given web-resource-collection". The web-resource-collection includes the method as well. So adding "through POST method" is redundant.
If you like our products and services, please help us by posting your review here.
Who is online
Users browsing this forum: No registered users and 15 guests