Enthuware

Hi Frits,

the statement says: "Assume that there is a security constraint in the web deployment descriptor that allows "student" and "teacher" to access the URL."

which is to be understood: whatever annotations @RolesAllowed the class may have, they are overridden with the settings in the dd. Right?

If that's true, then options 3 and 4 are correct.

Please correct me if i'm wrong.

Thanks,
Alex

Hi Alex,

What I meant by

Assume that there is a security constraint in the web deployment descriptor that allows "student" and "teacher" to access the URL.

is the following security constraint: The @RolesAllowed could be overridden by an ejb-jar.xml deployment descriptor however this cannot be done by the web.xml deployment descriptor. (overriding of @RolesAllowed is typically a question you can expect in the EJB EE6 Certification exam)

Would it be clearer if I added the security constraint to the problem statement?

Regards,
Frits

Hi,

The @RolesAllowed could be overridden by an ejb-jar.xml deployment descriptor however this cannot be done by the web.xml deployment descriptor.

oh...i had overlooked that

i now still have trouble understanding why the third option is wrong. The method level @RolesAllowed should override the class level and allow student to invoke the method.

Seems to be the same case as here: http://docs.oracle.com/cd/E16439_01/doc ... m#BGBHEBJB

Thanks,
Alex

Oh, yes I see your point, the annotation on the method should not be there!

Thanks for your feedback!

Regards
Frits