Page 1 of 1

About Question enthuware.jwpv6.2.645 :

Posted: Mon Jan 06, 2014 9:51 am
by alayor
Why a user must be in employee role to access /dynamic seeing as the explanation says that is unrestricted?

I think the answer is
"A user must be in employee role to access /secureDynamic but not /dynamic through HTTP POST method".

Re: About Question enthuware.jwpv6.2.645 :

Posted: Mon Jan 06, 2014 10:11 am
by admin
No, the given answer is correct because the given deployment descriptor restricts only POST method (not GET, which is what is being asked in the question.).

HTH,
Paul.

Re: About Question enthuware.jwpv6.2.645 :

Posted: Wed Jun 10, 2015 10:16 am
by pwang8
Shouldn't the last line in the code restrict the GET access to "/secureDynamic" url to only "employee" role?

Code: Select all

sd.addMapping("/secureDynamic");
Is it additive (Deploy Descriptor combine Dynamic code)?



*** Please Ignore this post, explanations have the answer ***

If a URL pattern of this ServletRegistration is an exact target of a security-constraint that was established via the portable deployment descriptor, then this method does not change the security-constraint for that pattern, and the pattern will be included in the return value.

Re: About Question enthuware.jwpv6.2.645 :

Posted: Sun May 01, 2016 4:31 pm
by himaiMinh
Hi,
for the first option "A user must be in employee role to access /dynamic but not /secureDynamic using any HTTP method.
Access to both urls using HTTP POST is restricted only to the role "employee".

I think access to /dynamic , GET method is restricted to employee according to the ServletContextListener.
Access to /secureDynamic, POST method is restricted to employee, according to the dd.
But accessing to /dynamic's POST method is not restricted.

Re: About Question enthuware.jwpv6.2.645 :

Posted: Sun May 01, 2016 8:08 pm
by admin
As per Section 13.4.2 of Servlet 3.1 specification:
When a security-constraint in the portable deployment descriptor includes a url-pattern that is an exact match for a pattern mapped by a ServletRegistration, calls to setServletSecurity on the ServletRegistration must have no effect on the constraints enforced by the Servlet container on the pattern.
Here, url-pattern /secureDynamic is present in the DD and the DD restricts only its POST method to employee. Therefore, the calls to setServletSecurity on the ServletRegistration for this pattern will have no effect. Hence, the restriction to GET imposed by the java code will not be effective.

HTH,
Paul.

Re: About Question enthuware.jwpv6.2.645 :

Posted: Wed Nov 29, 2017 1:15 am
by JJeena
I am very confused. Please help..

The explanation given in the 1st wrong answer says
"Access to both the urls using HTTP POST is restricted only to the role "employee".

While explanation given for correct answer says:
"Security information specified dynamically cannot override the security configuration specified in the deployment descriptor. Here, the descriptor restricts only POST method on /secureDynamic. Other methods are unrestricted. "

Which one is correct? So if the call to setServletSecurity has no effect then there is no restriction on accessing /dynamic. Then 1st explanation is wrong. Isnt?

Re: About Question enthuware.jwpv6.2.645 :

Posted: Fri Jun 08, 2018 11:03 pm
by admin
In this case, the DD doesn't explicitly restrict or unrestrict access to other method. So a servlet code is free to apply access rights to these dynamically.