All the posts and topics that contain only an error report will be moved here after the error is corrected. This is to ensure that when users view a question in ETS Viewer, the "Discuss" button will not indicate the presence of a discussion that adds no value to the question.
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>
In which of the following cases will the user be prompted for username/password?
1. When the user clicks on a hyperlink displayed by <a href="/servlet/TestServlet">Test</a
2.When the user clicks on the submit button of a form defined as: <form action="/servlet/TestServlet" method="POST">
For both option 1 and option 2.
For neither option 1 nor option 2.
The answer for this question says:
For neither option 1 nor option 2.
And explanation says:
When there is no <http-method> element in <security-constraint>, all methods are protected.
As per the above explanation since all methods are protected, the username/password will be required for both option 1 & 2. Hence the 3rd option should be corrtect.
shouldn the question be more clear that there is proper authentication mechanism is in place.
without login-config element in place if we try to access the constrained resource it wont ask for username and password. it will simply give 403 unauthorisation error(i'm not sure about the status code that i used).
so IMHO it should be mentioned that assume that authentication elements/mechanism are in place
gurpreet_asrgndu wrote:shouldn the question be more clear that there is proper authentication mechanism is in place.
without login-config element in place if we try to access the constrained resource it wont ask for username and password. it will simply give 403 unauthorisation error(i'm not sure about the status code that i used).
so IMHO it should be mentioned that assume that authentication elements/mechanism are in place
Basing on the approach how url-patterns are being matched, particularly if we either have <a href="/servlet/TestServlet">Click!</a> or <form action="/servlet/TestServlet></form>, these values of "href" and "action" attributes point to the application deployed to the context "/servlet".
So, url-pattern in web-resource collection doesn't match to either "href" nor "action", which means they don't secure urls mentioned above, and I answered "For neither option 1 nor option 2." and I got "You answered incorrectly" (correct answer was For both option 1 and option 2.)
The app could be deployed to default context as well, in which case, /servlet would not be the context path. But you are right. The problem statement and the options have now been updated to avoid this ambiguity.
-Paul.