You want to allow one set of roles to POST to a resource and another set of roles to GET it.
Which two configuration options should you use? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D.BD.
This question is about configuring access controls on a web resource in a Java EE 7 application. The objective is to allow one set of roles to access the resource using the HTTP GET method and another set of roles to access the resource using the HTTP POST method.
Let's review the options:
A. Two separate @HttpMethodConstraints annotations and sets of roles: The @HttpMethodConstraints annotation is used to specify security constraints on a method level for a resource method. Therefore, if we use two separate @HttpMethodConstraints annotations, one for the GET method and another for the POST method, we could specify different sets of roles for each method. This option could work, but it would require creating two separate methods for the same resource, one for GET and one for POST, which may not be practical.
B. A single @HttpMethodConstraint annotation and a map of method to roles: The @HttpMethodConstraint annotation can be used to specify security constraints on a resource method. If we use a single @HttpMethodConstraint annotation, we could map the GET method to one set of roles and the POST method to another set of roles using a map of methods to roles. This option is more practical than option A because we can specify both methods in the same resource.
C. Two <web-resource-collection> with different <http-method> in the deployment descriptor: The deployment descriptor is an XML file that describes the deployment configuration of a web application. If we use two separate <web-resource-collection> elements, one for the GET method and another for the POST method, we could specify different sets of roles for each method. However, this option requires duplicating the resource configuration, which could be difficult to maintain.
D. A single <web-resource-collection> with two <auth-constraint> with different <http-method> in the deployment descriptor: The <web-resource-collection> element is used to group resources and apply security constraints to them. If we use a single <web-resource-collection> element with two <auth-constraint> elements, one for the GET method and another for the POST method, we could specify different sets of roles for each method. This option is similar to option C, but instead of duplicating the resource configuration, we apply different security constraints to the same resource.
Therefore, the correct options for this scenario are B and D, as they allow us to configure the access controls for both methods on the same resource without duplicating the resource configuration.