About Question enthuware.jwpv6.2.645 :

Moderator: admin

Post Reply
alayor
Posts: 5
Joined: Sun Jan 05, 2014 6:19 pm
Contact:

About Question enthuware.jwpv6.2.645 :

Post by alayor » Mon Jan 06, 2014 9:51 am

Why a user must be in employee role to access /dynamic seeing as the explanation says that is unrestricted?

I think the answer is
"A user must be in employee role to access /secureDynamic but not /dynamic through HTTP POST method".

admin
Site Admin
Posts: 7412
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.645 :

Post by admin » Mon Jan 06, 2014 10:11 am

No, the given answer is correct because the given deployment descriptor restricts only POST method (not GET, which is what is being asked in the question.).

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

pwang8
Posts: 8
Joined: Thu Apr 09, 2015 12:32 pm
Contact:

Re: About Question enthuware.jwpv6.2.645 :

Post by pwang8 » Wed Jun 10, 2015 10:16 am

Shouldn't the last line in the code restrict the GET access to "/secureDynamic" url to only "employee" role?

Code: Select all

sd.addMapping("/secureDynamic");
Is it additive (Deploy Descriptor combine Dynamic code)?



*** Please Ignore this post, explanations have the answer ***

If a URL pattern of this ServletRegistration is an exact target of a security-constraint that was established via the portable deployment descriptor, then this method does not change the security-constraint for that pattern, and the pattern will be included in the return value.

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.645 :

Post by himaiMinh » Sun May 01, 2016 4:31 pm

Hi,
for the first option "A user must be in employee role to access /dynamic but not /secureDynamic using any HTTP method.
Access to both urls using HTTP POST is restricted only to the role "employee".

I think access to /dynamic , GET method is restricted to employee according to the ServletContextListener.
Access to /secureDynamic, POST method is restricted to employee, according to the dd.
But accessing to /dynamic's POST method is not restricted.

admin
Site Admin
Posts: 7412
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.645 :

Post by admin » Sun May 01, 2016 8:08 pm

As per Section 13.4.2 of Servlet 3.1 specification:
When a security-constraint in the portable deployment descriptor includes a url-pattern that is an exact match for a pattern mapped by a ServletRegistration, calls to setServletSecurity on the ServletRegistration must have no effect on the constraints enforced by the Servlet container on the pattern.
Here, url-pattern /secureDynamic is present in the DD and the DD restricts only its POST method to employee. Therefore, the calls to setServletSecurity on the ServletRegistration for this pattern will have no effect. Hence, the restriction to GET imposed by the java code will not be effective.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

JJeena
Posts: 5
Joined: Thu Nov 02, 2017 1:33 am
Contact:

Re: About Question enthuware.jwpv6.2.645 :

Post by JJeena » Wed Nov 29, 2017 1:15 am

I am very confused. Please help..

The explanation given in the 1st wrong answer says
"Access to both the urls using HTTP POST is restricted only to the role "employee".

While explanation given for correct answer says:
"Security information specified dynamically cannot override the security configuration specified in the deployment descriptor. Here, the descriptor restricts only POST method on /secureDynamic. Other methods are unrestricted. "

Which one is correct? So if the call to setServletSecurity has no effect then there is no restriction on accessing /dynamic. Then 1st explanation is wrong. Isnt?

admin
Site Admin
Posts: 7412
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.645 :

Post by admin » Fri Jun 08, 2018 11:03 pm

In this case, the DD doesn't explicitly restrict or unrestrict access to other method. So a servlet code is free to apply access rights to these dynamically.
If you like our products and services, please help us by posting your review here.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests