In the HFSJ chapter on Web application security, it is mentioned that we can define roles and corresponding users using the tomcat-users.xml file and the <security-role> tag in the DD. This, as I understand, is declarative security. Now, in most of the web apps that I work on, we generally have separate tables for users and roles, called say, user_master and role_master respectively. So, now if I use the vendor-specific declarative security mechanism (as mentioned above), does it mean that I no longer need to create the master tables? In fact, the users are picked from SAP database. Kindly shed some light on how decalarative security mechanism would actually be used in practice, possibly w.r.t. the above scenario.
posted 12 years ago
The Tomcat use the .xml file by default to maintain the users and roles. But you can use other mechanism to maintain the users and roles like JDBC using database tables. Please refer the security chapter in Tomcat documetation. There are plenty of examples.