• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security - role - ref

 
Thambi Rajah
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I came across the following question on a Mock Exam.
Consider the follwing XML fragment occuring in web.xml of a webapp.


Which of the following methods would you call in the servlet to check whether the requesting user belongs to "manager" role or not?

Select 1 correct option.

(A) isUserInRole("BOSS")

(B) getUserRole("BOSS")

(C) isUserInRole("manager")

(D) getUserRole("manager")

(E) isSecure("manager")

The answer says (A). I wonder why (C) can not be correct.
If somebody could explain this concept, I would appreciate it.
Thanks in advance
Thambi
 
Kyle Tang
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
that is the definition, and why there is <security-role-ref>.
<security-role-ref><role-name>BOSS</role-name> <role-link>manager</role-link> </security-role-ref>

in here, the one defined in <role-name> is used for servlet programs, you can use isUserInRole() on it. the one in <role-link> is supposed to be defined in <security-role>, they are only visible to the web-container, not to your servlet. servlet only knows the role "BOSS".
this way, you servlet is hard-coded with role name "BOSS", but when you deploy your servlet, you can give it different alias names, those alias only web-container know them, you servlet does not need to be changed, it only knows "BOSS". that's how you deploy your servlet without re-code and compile.
 
jeffrey z. lee
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
may I put <role-name> a name which has been defined in <security-role>?
 
Kyle Tang
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
just keep in mind <role-name> is used by isUserInRole() and <role-ref> is supposed to be defined in <security-role>.
as long as you think what you are doing is following that rule, you can create the role alias mapping as you wish.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic