About Question enthuware.jwpv6.2.888 :

Moderator: admin

Post Reply
ETS User

About Question enthuware.jwpv6.2.888 :

Post by ETS User »

I understand the answer to this question, but in a book that I read (OCEJWCD Styudy Companion - OCE Java EE Web Component Developer, Charles Lyons, Third Edition) I found the following description:
"A declaration of the form <role-name>*</role-name> means 'grant access to an authenticated user or any role'. This does imply that the user has already been authenticated." => this explains the usage of a * in the role-name element as a child of auth-constraint.
"Omitting all <role-name> elements, or indeed the parent <auth-constraint>, means 'grant access to anyone, authenticated or not'. ... The users doesn't even have to have been authenticated." => this is in total contradiction to the answer ETS is giving for this question?

What is now really the solution for this question? The book is quite new (2012) and makes a good impression, but also ETS gives good explanations and makes a good impression - can you help me?

Thanks a lot.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.888 :

Post by admin »

Both are correct. The given question does not have any role-name with * in the auth-constraint element. It is empty. <auth-constraint></auth-constraint> is not same as <auth-constraint><role-name>*</role-name></auth-constraint>

Also, whenever in doubt, consult the specification. Many questions, such as this one, specify the relevant section of the specification.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

Guest

Re: About Question enthuware.jwpv6.2.888 :

Post by Guest »

Found the following:

Servlet 3.0 13.8.1 Combining Constraints
The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.
=> no one will have access to the constrained resource.

The book stated: "Omitting all role-elements, ..., means 'grant access to anyone, authenticaed or not' ... The user doesn't even have to have been authenticated"
=> this is in contradiction to the servlet specification, so I think the book is wrong and the answer to the question is correct.

grafviktor
Posts: 1
Joined: Fri Jul 05, 2013 2:46 am
Contact:

Re: About Question enthuware.jwpv6.2.888 :

Post by grafviktor »

I'm sorry but i can't understand why the right answer is "No user, authenticated or not, can access the resource...". I think that any user can access the recourse since there is only POST constraint.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.888 :

Post by admin »

grafviktor wrote:I'm sorry but i can't understand why the right answer is "No user, authenticated or not, can access the resource...". I think that any user can access the recourse since there is only POST constraint.
Did you read the explanation provided with the option?
An auth-constraint that does not specify any role means that no role will be able to access the resource. This overrides any other security constraint containing the same web-resource-collection. In other words, in case of two security constraints containing same web-resource-collection, where one allows access to some roles in its auth-constraint and another one contains an empty auth-constraint (note that auth-constraint tag must be present and empty), no role will be able to access that web-resource-collection.
There is an emtpy auth-constraint in the given code.
HTH,
Paul.
If you like our products and services, please help us by posting your review here.

mtmmjava
Posts: 9
Joined: Mon Nov 04, 2013 7:49 am
Contact:

Re: About Question enthuware.jwpv6.2.888 :

Post by mtmmjava »

Hi, on the Explanation I think there's a typo on the version of the specification and the section.
The version is 3.0, not 2.4 (although 2.4 might be valid, the simulator is for the 3.0 exam). And the section is 13.8.1, not 12.8.1

alayor
Posts: 5
Joined: Sun Jan 05, 2014 6:19 pm
Contact:

Re: About Question enthuware.jwpv6.2.888 :

Post by alayor »

I think the answer must say:
"No user, authenticated or not, can access the resource identified by the given web-resource-collection through POST method."

I guess any user can access the resource through other methods.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.888 :

Post by admin »

No, the option says "...by the given web-resource-collection". The web-resource-collection includes the method as well. So adding "through POST method" is redundant.
If you like our products and services, please help us by posting your review here.

Post Reply

Who is online

Users browsing this forum: No registered users and 15 guests