Page 1 of 1
About Question enthuware.jwpv6.2.693 :
Posted: Wed Nov 21, 2012 11:22 pm
by ETS User
Code: Select all
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>
In which of the following cases will the user be prompted for username/password?
1. When the user clicks on a hyperlink displayed by <a href="/servlet/TestServlet">Test</a
2.When the user clicks on the submit button of a form defined as: <form action="/servlet/TestServlet" method="POST">
For both option 1 and option 2.
For neither option 1 nor option 2.
The answer for this question says:
For neither option 1 nor option 2.
And explanation says:
When there is no <http-method> element in <security-constraint>, all methods are protected.
As per the above explanation since all methods are protected, the username/password will be required for both option 1 & 2. Hence the 3rd option should be corrtect.
Please clarify.
Thanks,
Sanjay
Re: About Question enthuware.jwpv6.2.693 :
Posted: Thu Nov 22, 2012 7:28 am
by admin
And it is indeed marked as correct.
-Paul.
Re: About Question enthuware.jwpv6.2.693 :
Posted: Sat Nov 24, 2012 8:22 am
by Guest
Thanks. The answer given is correct. Somehow I had different thought at that time.
Regards,
Sanjay
Re: About Question enthuware.jwpv6.2.693 :
Posted: Thu Jan 10, 2013 2:27 pm
by gurpreet_asrgndu
shouldn the question be more clear that there is proper authentication mechanism is in place.
without login-config element in place if we try to access the constrained resource it wont ask for username and password. it will simply give 403 unauthorisation error(i'm not sure about the status code that i used).
so IMHO it should be mentioned that assume that authentication elements/mechanism are in place
regards
Gurpreet
Re: About Question enthuware.jwpv6.2.693 :
Posted: Sun Jan 13, 2013 4:10 pm
by admin
gurpreet_asrgndu wrote:shouldn the question be more clear that there is proper authentication mechanism is in place.
without login-config element in place if we try to access the constrained resource it wont ask for username and password. it will simply give 403 unauthorisation error(i'm not sure about the status code that i used).
so IMHO it should be mentioned that assume that authentication elements/mechanism are in place
regards
Gurpreet
This has now been specified.
thank you for your feedback!
Re: About Question enthuware.jwpv6.2.693 :
Posted: Sun Apr 07, 2013 10:25 am
by ArsenyKo
Basing on the approach how url-patterns are being matched, particularly if we either have <a href="/servlet/TestServlet">Click!</a> or <form action="/servlet/TestServlet></form>, these values of "href" and "action" attributes point to the application deployed to the context "/servlet".
So, url-pattern in web-resource collection doesn't match to either "href" nor "action", which means they don't secure urls mentioned above, and I answered "For neither option 1 nor option 2." and I got "You answered incorrectly" (correct answer was For both option 1 and option 2.)
Seems unclear.
Re: About Question enthuware.jwpv6.2.693 :
Posted: Sun Apr 07, 2013 11:03 am
by admin
The app could be deployed to default context as well, in which case, /servlet would not be the context path. But you are right. The problem statement and the options have now been updated to avoid this ambiguity.
-Paul.