I compared this question (enthuware.ocejws.v6.2.319) to question enthuware.ocejws.v6.2.244. They seem to address the same problem.
The correct answers however are different .
244 says:
"Add declarative authentication in the web-container where the Web Service is exposed."
319 says:
"The same security constraints defined on the EJB for the EJB-clients will apply to the Web Service clients."
I think that the correct answer for 319 should be the combination of 319 and 244:
"Add declarative authentication in the web-container where the Web Service is exposed.
The same authorization constraints defined on the EJB for the EJB-clients will apply to the Web Service clients."
About Question enthuware.ocejws.v6.2.319 :
Moderators: Site Manager, fjwalraven
-
- Posts: 28
- Joined: Fri Jan 02, 2015 12:13 pm
- Contact:
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.319 :
Hi !
There is a subtle difference in the two questions. In question 319 we have an existing application making use of EE-security (in this case declarative authentication is already in place). The question tests your knowledge about EJB clients and WebService clients: do they have separate configurable security constraints or not. "Adding declarative authentication" is not one of the options and therefore you can conclude that it is already taken care of (or not relevant to this question).
In Question 244 we test whether you know how declarative EE-security can be propagated from the web-container to the ejb-container.
But all-in-all you are right: you need to add declarative authentication in the web-container in order for EJB-clients and WebService-clients to use fine grained method based security annotations (e.g. RolesAllowed).
Regards,
Frits
There is a subtle difference in the two questions. In question 319 we have an existing application making use of EE-security (in this case declarative authentication is already in place). The question tests your knowledge about EJB clients and WebService clients: do they have separate configurable security constraints or not. "Adding declarative authentication" is not one of the options and therefore you can conclude that it is already taken care of (or not relevant to this question).
In Question 244 we test whether you know how declarative EE-security can be propagated from the web-container to the ejb-container.
But all-in-all you are right: you need to add declarative authentication in the web-container in order for EJB-clients and WebService-clients to use fine grained method based security annotations (e.g. RolesAllowed).
Regards,
Frits
-
- Posts: 28
- Joined: Fri Jan 02, 2015 12:13 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.319 :
Thanks, it is clear now that the focus is different but I don't see the subtle difference in the two contexts. We have an existing application making use of EE security in question 244 too, since it claims that
"Current security model is based on declarative role based method permission".
"Current security model is based on declarative role based method permission".
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.319 :
Still, I think, "Adding declarative authentication" is not one of the options and therefore you can conclude that it is already taken care of (or not relevant to the 319 question).
Regards,
Frits
Note that a security constraint in Java EE always consists of a combination of Authentication and Authorization requirements. If you use the same security constraints for both WebService clients and EJB clients it means that both Authentication and Authorization requirements apply for both clients. There is way to differentiate between EJB clients' security constraints and the WebService clients' security constraints.The same security constraints defined on the EJB for the EJB-clients will apply to the Web Service clients.
Regards,
Frits
Who is online
Users browsing this forum: No registered users and 1 guest