About Question enthuware.ocejws.v6.2.226 :

Moderators: Site Manager, fjwalraven

victor2016
Posts: 12
Joined: Wed Jan 20, 2016 7:16 pm
Contact:

About Question enthuware.ocejws.v6.2.226 :

Post by victor2016 » Sat Sep 17, 2016 11:56 am

Hi,

Sorry but I don't understand this requirement: "Define the root resource class as an Singleton EJB." I am researching this issue but cannot find an answer on what Singleton EJB has to do with role based JAX-RS authentication? I understand other requirements but have a gap in knowledge regarding EJB connection with respect to JAX-RS. Could you kindly explain a bit?

Thanks,
Victor.

fjwalraven
Posts: 423
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven » Sun Sep 18, 2016 2:08 pm

You definitely should read and study (a bit) about EJBs and Java EE-security. The EE6-tutorial is a good starting point: http://docs.oracle.com/javaee/6/tutorial/doc/

Regards,
Frits

fjwalraven
Posts: 423
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven » Sun Sep 18, 2016 2:17 pm

When you define an EJB as a JAX-RS root resource class you can use the EE6 security features an EE6 server provides you (like method based access control).

Nice EE6-security overview: http://docs.oracle.com/javaee/6/tutorial/doc/bnbwk.html

victor2016
Posts: 12
Joined: Wed Jan 20, 2016 7:16 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by victor2016 » Sun Sep 18, 2016 3:02 pm

fjwalraven wrote:When you define an EJB as a JAX-RS root resource class you can use the EE6 security features an EE6 server provides you (like method based access control).

Nice EE6-security overview: http://docs.oracle.com/javaee/6/tutorial/doc/bnbwk.html
Hi,

Thank you for these resources. I also found discussion on this question (duplicate?) here: viewtopic.php?f=40&t=2535 which is also quite helpful.

fjwalraven
Posts: 423
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven » Sun Sep 18, 2016 3:37 pm

That is indeed a similar question (not a duplicate).

Regards,
Frits

sttaq0442
Posts: 27
Joined: Tue Nov 15, 2016 11:20 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by sttaq0442 » Tue Nov 15, 2016 1:01 pm

fjwalraven wrote:That is indeed a similar question (not a duplicate).

Regards,
Frits
Am I right in thinking that the Role based security is only possible in EJB container i.e. when your service is annotated with @Stateless or @Singleton?

Otherwise, if it can be achieved without EJB then following option will be correct:

Add a security constraint in the web deployment descriptor to restrict certain URL's.

fjwalraven
Posts: 423
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven » Wed Nov 16, 2016 12:02 am

Am I right in thinking that the Role based security is only possible in EJB container i.e. when your service is annotated with @Stateless or @Singleton?
Yes, you are right!

Regards,
Frits

sttaq0442
Posts: 27
Joined: Tue Nov 15, 2016 11:20 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by sttaq0442 » Wed Nov 16, 2016 6:16 am

fjwalraven wrote:
Am I right in thinking that the Role based security is only possible in EJB container i.e. when your service is annotated with @Stateless or @Singleton?
Yes, you are right!

Regards,
Frits
The first option is "Add a security constraint in the web deployment descriptor to restrict certain URL's. The explantaion says that this is not needed but am I right in thinking that it CAN ALSO be used using the following config? We would, however, still need to map the users to the roles in a xxx-web.xml file.

Code: Select all

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/jsp/security/protected/*</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>manager</role-name>
    </auth-constraint>
</security-constraint>

 <!-- Security roles used by this web application -->
<security-role>
    <role-name>manager</role-name>
</security-role>
<security-role>
    <role-name>employee</role-name>
</security-role>

fjwalraven
Posts: 423
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven » Wed Nov 16, 2016 2:16 pm

Yes, you can do that however you can't restrict a single method of a specific RESTful class and that is what is required by the problem statement:
We want to use role based security on a method of a RESTful Web Service.
Regards,
Frits

sttaq0442
Posts: 27
Joined: Tue Nov 15, 2016 11:20 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by sttaq0442 » Thu Nov 17, 2016 5:47 am

fjwalraven wrote:Yes, you can do that however you can't restrict a single method of a specific RESTful class and that is what is required by the problem statement:
We want to use role based security on a method of a RESTful Web Service.
Regards,
Frits
Thanks Frits.

Its a tricky one. I missed the clue "a method" and even with this clue and the understanding that every methd can have its own URL makes me feel that the first option is also correct. So for example, we can restrict a method by restricting it's URL which is equivalent to the statement "role based security on a method". However, in this manner we can also restrict many URLs at once but it really depends on the expression we use in the web.xml and this expression is not given in the answer so we are open to guessing what the examiner may be thinking?

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests