About Question enthuware.ocejws.v6.2.319 :

Moderators: Site Manager, fjwalraven

Post Reply
disznoperzselo
Posts: 28
Joined: Fri Jan 02, 2015 12:13 pm
Contact:

About Question enthuware.ocejws.v6.2.319 :

Post by disznoperzselo » Thu Oct 08, 2015 12:36 pm

I compared this question (enthuware.ocejws.v6.2.319) to question enthuware.ocejws.v6.2.244. They seem to address the same problem.
The correct answers however are different .

244 says:
"Add declarative authentication in the web-container where the Web Service is exposed."

319 says:
"The same security constraints defined on the EJB for the EJB-clients will apply to the Web Service clients."

I think that the correct answer for 319 should be the combination of 319 and 244:

"Add declarative authentication in the web-container where the Web Service is exposed.
The same authorization constraints defined on the EJB for the EJB-clients will apply to the Web Service clients."

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.319 :

Post by fjwalraven » Thu Oct 08, 2015 2:57 pm

Hi !

There is a subtle difference in the two questions. In question 319 we have an existing application making use of EE-security (in this case declarative authentication is already in place). The question tests your knowledge about EJB clients and WebService clients: do they have separate configurable security constraints or not. "Adding declarative authentication" is not one of the options and therefore you can conclude that it is already taken care of (or not relevant to this question).

In Question 244 we test whether you know how declarative EE-security can be propagated from the web-container to the ejb-container.

But all-in-all you are right: you need to add declarative authentication in the web-container in order for EJB-clients and WebService-clients to use fine grained method based security annotations (e.g. RolesAllowed).

Regards,
Frits

disznoperzselo
Posts: 28
Joined: Fri Jan 02, 2015 12:13 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.319 :

Post by disznoperzselo » Fri Oct 09, 2015 4:01 am

Thanks, it is clear now that the focus is different but I don't see the subtle difference in the two contexts. We have an existing application making use of EE security in question 244 too, since it claims that
"Current security model is based on declarative role based method permission".

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.319 :

Post by fjwalraven » Wed Oct 14, 2015 2:54 pm

Still, I think, "Adding declarative authentication" is not one of the options and therefore you can conclude that it is already taken care of (or not relevant to the 319 question).
The same security constraints defined on the EJB for the EJB-clients will apply to the Web Service clients.
Note that a security constraint in Java EE always consists of a combination of Authentication and Authorization requirements. If you use the same security constraints for both WebService clients and EJB clients it means that both Authentication and Authorization requirements apply for both clients. There is way to differentiate between EJB clients' security constraints and the WebService clients' security constraints.

Regards,
Frits

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests