Win a copy of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

security-role-ref element  RSS feed

 
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Programmatic security requires role names that
are hard-coded in the servlet to be specified in
the security-role-ref element. An example:
<servlet>
<servlet-name>SecureServlet</servlet-name>
<servlet-class>cgscwcd.chapter9.SecureServlet
</servlet-class>
<security-role-ref>
<role-name>manager</role-name>
<role-link>supervisor</role-link>
</security-role-ref>
</servlet>
In this example, manager will be hard-coded in
the servlet while supervisor is the actual

is this correct?I thought <security-role-ref> is a seperate element under <web-app>
 
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yep. You are right!

1.security-role-ref comes inside <servlet>
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yep. You are right!

1. <security-role-ref> comes inside <servlet>
2. <role-name> mentions the role name in the servlet code.
3. <role-link> mentions one of the roles from your <security-role> tag.
 
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

<role-link> mentions one of the roles from your <security-role> tag



and you do this in tomcat-users.xml , isnt it ?
 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no security-role is in web.xml only but it is mapped to the

<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
</tomcat-users> like this
 
Niranjan Deshpande
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
</tomcat-users>

this maps to the following in web.xml -

<security-role>tomcat</security-role>

correct ?
sepearte tag for each role ! correct ?
 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<security-role>
<role-name>manager</role-name>
<role-name>director</role-name>
<role-name>employee</role-name>
</security-role>

this is the usage
 
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Renu Radhika:
<security-role>
<role-name>manager</role-name>
<role-name>director</role-name>
<role-name>employee</role-name>
</security-role>

this is the usage



wrong !!
correct usage is as following :


I often see that error !
 
Niranjan Deshpande
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmm....! max,,, ver subtle difference.
so the usage is -



and so on for all roles. this goes in web.xml
the vendor specific user - role mapping goes in some other file.
in Tomcat, its called tomcat-users.xml. The usage for which is -



now again in the web.xml you get the <auth-constraint> element




and since we are on this topic, lets reiterate that the above thing means -
only user called 'steve' ( has a admin role ) can have a CONSTRAINED access to the resources /BeerReciepies/*. Her the term contrained access means - 'he will be asked for authentication - of course - username and password'. also, any other user, say 'kim' not registerd in tomcat-users.xml is righteous to do a POST ( assuming its not listed in the http-method ) on the /BeerRecipies/* resources.

also -

one web.xml can have many <security-contraint> sections. Each giving contrained access to some users, by using a combination of url-elements and http-method elements. the auth-constraint of each <security-constraint> section, contains user list who have / dont have access to the resources in that <security-constrain> section.

hope it doesnt confuse people ... i am just trying recall...and everything i typed...i did it without seeing...except...i couldnt recall the <securiy-constraint> tag
 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then I think the syntax of security-role is mentioned wrongly in study kit.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!