Page 1 of 1
About Question enthuware.ocejws.v6.2.220 :
Posted: Sun Apr 06, 2014 3:22 pm
by himaiMinh
For option 1
Code: Select all
@ApplicationPath("jax")
@Path("rs")
public class AdditionService extends Application{
@RolesAllowed("student")
@GET
@Path("/add/{num1}/{num2}")
public String addp(....) {...}
}
It is not an EJB, but we can still define the role-based security in web.xml when the resource class is deployed.
The web.xml can be:
Code: Select all
<web-app>
...
<web-resource-collection>
<url-pattern>/jax/rs/add/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
Any comments?
Re: About Question enthuware.ocejws.v6.2.220 :
Posted: Mon Apr 07, 2014 9:14 am
by fjwalraven
True, but I want to emphasize on the (role-based) annotations in this question.
What I meant by
"Assume that there is a security constraint in the web deployment descriptor that allows "student" and "teacher" to access the URL"
is the following constraint:
Code: Select all
<security-constraint>
<web-resource-collection>
<web-resource-name>secure addition</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>student</role-name>
<role-name>teacher</role-name>
</auth-constraint>
</security-constraint>
Would it be better to put that constraint in the problem statement?
Re: About Question enthuware.ocejws.v6.2.220 :
Posted: Mon Apr 07, 2014 10:53 am
by himaiMinh
Thanks for the explanation.
I understand it now. I miss the point that there is actually a web.xml that has already specified the roles of students and teachers.
In option 1, if AdditionService (a servlet-based resource class) is deployed, the @RolesAllowed won't do anything because @RolesAllowed is only used by EJB 3, but not servlet.
Also, in EJB based web service, the role-based annotations are addition to those security defined in web.xml.
Using an example to compare role-based security annotation and role-based security in web.xml:
1. @RoleAllowed in a specific method is to specify the fine-grained role based security. That means, to specify the role based security of a particular method.
2. Using web.xml is to specify the general role based security. For example, specify who can access to all the @GET methods.
Any comments?
Re: About Question enthuware.ocejws.v6.2.220 :
Posted: Mon Apr 07, 2014 1:26 pm
by fjwalraven
1. @RoleAllowed in a specific method is to specify the fine-grained role based security. That means, to specify the role based security of a particular method.
Yes, fine-grained, method-based security
2. Using web.xml is to specify the general role based security. For example, specify who can access to all the @GET methods.
Yes, coarse-grained, URL-based security
Regards,
Frits