security-role-ref element

Programmatic security requires role names that
are hard-coded in the servlet to be specified in
the security-role-ref element. An example:
<servlet>
<servlet-name>SecureServlet</servlet-name>
<servlet-class>cgscwcd.chapter9.SecureServlet
</servlet-class>
<security-role-ref>
<role-name>manager</role-name>
<role-link>supervisor</role-link>
</security-role-ref>
</servlet>
In this example, manager will be hard-coded in
the servlet while supervisor is the actual

is this correct?I thought <security-role-ref> is a seperate element under <web-app>

yep. You are right!

1.security-role-ref comes inside <servlet>

yep. You are right!

1. <security-role-ref> comes inside <servlet>
2. <role-name> mentions the role name in the servlet code.
3. <role-link> mentions one of the roles from your <security-role> tag.

<role-link> mentions one of the roles from your <security-role> tag

and you do this in tomcat-users.xml , isnt it ?

no security-role is in web.xml only but it is mapped to the

<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
</tomcat-users> like this

<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
</tomcat-users>

this maps to the following in web.xml -

<security-role>tomcat</security-role>

correct ?
sepearte tag for each role ! correct ?

<security-role>
<role-name>manager</role-name>
<role-name>director</role-name>
<role-name>employee</role-name>
</security-role>

this is the usage

Originally posted by Renu Radhika:
<security-role>
<role-name>manager</role-name>
<role-name>director</role-name>
<role-name>employee</role-name>
</security-role>

this is the usage

wrong !!
correct usage is as following :
<security-role><role-name>manager </role-name> </security-role> <security-role><role-name>director</role-name> </security-role> <security-role><role-name>employee</role-name> </security-role>

I often see that error !

Hmm....! max,,, ver subtle difference.
so the usage is -

<security-role> <role-name>admin</role-name> </security-role> ... .. ...

and so on for all roles. this goes in web.xml
the vendor specific user - role mapping goes in some other file.
in Tomcat, its called tomcat-users.xml. The usage for which is -

<tomcat-users> <user name="steve" password="1234ERT" roles="admin"/> .... ... </tomacat-users>

now again in the web.xml you get the <auth-constraint> element

... ... <security-contraint> </web-resource-collection> <web-resource-name>WCD revesion :wink: </web-resource-name> <url-pattern>/BeerReciepies/*</url-pattern> <!-- one on more elements--> <!--some more patterns--> <http-method>GET<http-method> <!-- zero or more elements --> ...<!-if needed add more--> ... </web-resource-collection> <auth-constraint> <role-name>admin</role-name <!-- some more roles depending on the need, only thse people --> <!-- have constrained access --> </auth-constraint> <security-contraint>


and since we are on this topic, lets reiterate that the above thing means -
only user called 'steve' ( has a admin role ) can have a CONSTRAINED access to the resources /BeerReciepies/*. Her the term contrained access means - 'he will be asked for authentication - of course - username and password'. also, any other user, say 'kim' not registerd in tomcat-users.xml is righteous to do a POST ( assuming its not listed in the http-method ) on the /BeerRecipies/* resources.

also -

one web.xml can have many <security-contraint> sections. Each giving contrained access to some users, by using a combination of url-elements and http-method elements. the auth-constraint of each <security-constraint> section, contains user list who have / dont have access to the resources in that <security-constrain> section.

hope it doesnt confuse people ... i am just trying recall...and everything i typed...i did it without seeing...except...i couldnt recall the <securiy-constraint> tag

Then I think the syntax of security-role is mentioned wrongly in study kit.