All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: About Question enthuware.jwpv6.2.645 :
PostPosted: Mon Jan 06, 2014 9:51 am 
Offline

Joined: Sun Jan 05, 2014 6:19 pm
Posts: 5
Why a user must be in employee role to access /dynamic seeing as the explanation says that is unrestricted?

I think the answer is
"A user must be in employee role to access /secureDynamic but not /dynamic through HTTP POST method".


Top
 Profile Send private message  
 
 Post subject: Re: About Question enthuware.jwpv6.2.645 :
PostPosted: Mon Jan 06, 2014 10:11 am 
Offline
Site Admin

Joined: Fri Sep 10, 2010 9:26 pm
Posts: 6863
No, the given answer is correct because the given deployment descriptor restricts only POST method (not GET, which is what is being asked in the question.).

HTH,
Paul.


Top
 Profile Send private message  
 
 Post subject: Re: About Question enthuware.jwpv6.2.645 :
PostPosted: Wed Jun 10, 2015 10:16 am 
Offline

Joined: Thu Apr 09, 2015 12:32 pm
Posts: 8
Shouldn't the last line in the code restrict the GET access to "/secureDynamic" url to only "employee" role?

Code:
sd.addMapping("/secureDynamic");

Is it additive (Deploy Descriptor combine Dynamic code)?



*** Please Ignore this post, explanations have the answer ***

If a URL pattern of this ServletRegistration is an exact target of a security-constraint that was established via the portable deployment descriptor, then this method does not change the security-constraint for that pattern, and the pattern will be included in the return value.


Top
 Profile Send private message  
 
 Post subject: Re: About Question enthuware.jwpv6.2.645 :
PostPosted: Sun May 01, 2016 4:31 pm 
Offline

Joined: Fri Nov 29, 2013 8:26 pm
Posts: 358
Hi,
for the first option "A user must be in employee role to access /dynamic but not /secureDynamic using any HTTP method.
Access to both urls using HTTP POST is restricted only to the role "employee".

I think access to /dynamic , GET method is restricted to employee according to the ServletContextListener.
Access to /secureDynamic, POST method is restricted to employee, according to the dd.
But accessing to /dynamic's POST method is not restricted.


Top
 Profile Send private message  
 
 Post subject: Re: About Question enthuware.jwpv6.2.645 :
PostPosted: Sun May 01, 2016 8:08 pm 
Offline
Site Admin

Joined: Fri Sep 10, 2010 9:26 pm
Posts: 6863
As per Section 13.4.2 of Servlet 3.1 specification:
Quote:
When a security-constraint in the portable deployment descriptor includes a url-pattern that is an exact match for a pattern mapped by a ServletRegistration, calls to setServletSecurity on the ServletRegistration must have no effect on the constraints enforced by the Servlet container on the pattern.


Here, url-pattern /secureDynamic is present in the DD and the DD restricts only its POST method to employee. Therefore, the calls to setServletSecurity on the ServletRegistration for this pattern will have no effect. Hence, the restriction to GET imposed by the java code will not be effective.

HTH,
Paul.


Top
 Profile Send private message  
 
 Post subject: Re: About Question enthuware.jwpv6.2.645 :
PostPosted: Wed Nov 29, 2017 1:15 am 
Offline

Joined: Thu Nov 02, 2017 1:33 am
Posts: 5
I am very confused. Please help..

The explanation given in the 1st wrong answer says
"Access to both the urls using HTTP POST is restricted only to the role "employee".

While explanation given for correct answer says:
"Security information specified dynamically cannot override the security configuration specified in the deployment descriptor. Here, the descriptor restricts only POST method on /secureDynamic. Other methods are unrestricted. "

Which one is correct? So if the call to setServletSecurity has no effect then there is no restriction on accessing /dynamic. Then 1st explanation is wrong. Isnt?


Top
 Profile Send private message  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Template made by DEVPPL/ThatBigForum