Given this fragment in a servlet:
23. if(reg.isUserInRole(“Admin”)) {
24. // do stuff
25. }
And the following fragment from the related Java EE deployment descriptor:
812. <security-role-ref>
813. <role-name>Admin</role-name>
814. <role-link>Administrator</role-link>
815. </security-role-ref>
900. <security-role>
901. <role-name>Admin</role-name>
902. <role-name>Administrator</role-name>
903. </security-role>
What is the result?
A.
Line 24 can never be reached.
B.
The deployment descriptor is NOT valid.
C.
If line 24 executes, the user’s role will be Admin.
D.
If line 24 executes, the user’s role will be Administrator.
E.
If line 24 executes, the user’s role will NOT be predictable.
B
D, because the real role is that identified with role-link, that identified with role-name is a placeholder in the code
E
It should be (D).
I have doubts if it should be E. D would be true if Admin wasn’t declared in security-role but, as it is, an Admin user could access the code above. I’ll test.
I was wrong, it’s D.
I tested in JBoss and if you declare both roles (should be in different security-role, not in one as in the example), Admin role is overrided. Logged in as Admin returns false for userInRole(“Admin”) and userInRole(“Administrator”), while logged in as Administrator returns true for both.
sure it is B, cause allowed to has one and only one
element
but if it was:
Admin
Administrator
Admin
Administrator
in this case the answer would be D.
notice that “Admin” is only make sense for developer.
role-link inform us that “Admin” role is mapped to “Administrator” which is a real role