Programmatic security requires role names that are hard-coded in the servlet to be specified in the security-role-ref element. An example: <servlet> <servlet-name>SecureServlet</servlet-name> <servlet-class>cgscwcd.chapter9.SecureServlet </servlet-class> <security-role-ref> <role-name>manager</role-name> <role-link>supervisor</role-link> </security-role-ref> </servlet> In this example, manager will be hard-coded in the servlet while supervisor is the actual
is this correct?I thought <security-role-ref> is a seperate element under <web-app>
Hmm....! max,,, ver subtle difference. so the usage is -
and so on for all roles. this goes in web.xml the vendor specific user - role mapping goes in some other file. in Tomcat, its called tomcat-users.xml. The usage for which is -
now again in the web.xml you get the <auth-constraint> element
and since we are on this topic, lets reiterate that the above thing means - only user called 'steve' ( has a admin role ) can have a CONSTRAINED access to the resources /BeerReciepies/*. Her the term contrained access means - 'he will be asked for authentication - of course - username and password'. also, any other user, say 'kim' not registerd in tomcat-users.xml is righteous to do a POST ( assuming its not listed in the http-method ) on the /BeerRecipies/* resources.
one web.xml can have many <security-contraint> sections. Each giving contrained access to some users, by using a combination of url-elements and http-method elements. the auth-constraint of each <security-constraint> section, contains user list who have / dont have access to the resources in that <security-constrain> section.
hope it doesnt confuse people ... i am just trying recall...and everything i typed...i did it without seeing...except...i couldnt recall the <securiy-constraint> tag
SCJP 1.4 - 95% [ My Story ] - SCWCD 1.4 - 91% [ My Story ] Performance is a compulsion, not a option, if my existence is to be justified.