in here, the one defined in <role-name> is used for servlet programs, you can use isUserInRole() on it. the one in <role-link> is supposed to be defined in <security-role>, they are only visible to the web-container, not to your servlet. servlet only knows the role "BOSS". this way, you servlet is hard-coded with role name "BOSS", but when you deploy your servlet, you can give it different alias names, those alias only web-container know them, you servlet does not need to be changed, it only knows "BOSS". that's how you deploy your servlet without re-code and compile.
may I put <role-name> a name which has been defined in <security-role>?
jeffrey z. lee
posted 17 years ago
just keep in mind <role-name> is used by isUserInRole() and <role-ref> is supposed to be defined in <security-role>. as long as you think what you are doing is following that rule, you can create the role alias mapping as you wish.