• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security-role-ref element

 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Programmatic security requires role names that
are hard-coded in the servlet to be specified in
the security-role-ref element. An example:
<servlet>
<servlet-name>SecureServlet</servlet-name>
<servlet-class>cgscwcd.chapter9.SecureServlet
</servlet-class>
<security-role-ref>
<role-name>manager</role-name>
<role-link>supervisor</role-link>
</security-role-ref>
</servlet>
In this example, manager will be hard-coded in
the servlet while supervisor is the actual

is this correct?I thought <security-role-ref> is a seperate element under <web-app>
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yep. You are right!

1.security-role-ref comes inside <servlet>
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yep. You are right!

1. <security-role-ref> comes inside <servlet>
2. <role-name> mentions the role name in the servlet code.
3. <role-link> mentions one of the roles from your <security-role> tag.
 
Niranjan Deshpande
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<role-link> mentions one of the roles from your <security-role> tag


and you do this in tomcat-users.xml , isnt it ?
 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no security-role is in web.xml only but it is mapped to the

<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
</tomcat-users> like this
 
Niranjan Deshpande
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
</tomcat-users>

this maps to the following in web.xml -

<security-role>tomcat</security-role>

correct ?
sepearte tag for each role ! correct ?
 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<security-role>
<role-name>manager</role-name>
<role-name>director</role-name>
<role-name>employee</role-name>
</security-role>

this is the usage
 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Renu Radhika:
<security-role>
<role-name>manager</role-name>
<role-name>director</role-name>
<role-name>employee</role-name>
</security-role>

this is the usage


wrong !!
correct usage is as following :


I often see that error !
 
Niranjan Deshpande
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmm....! max,,, ver subtle difference.
so the usage is -



and so on for all roles. this goes in web.xml
the vendor specific user - role mapping goes in some other file.
in Tomcat, its called tomcat-users.xml. The usage for which is -



now again in the web.xml you get the <auth-constraint> element




and since we are on this topic, lets reiterate that the above thing means -
only user called 'steve' ( has a admin role ) can have a CONSTRAINED access to the resources /BeerReciepies/*. Her the term contrained access means - 'he will be asked for authentication - of course - username and password'. also, any other user, say 'kim' not registerd in tomcat-users.xml is righteous to do a POST ( assuming its not listed in the http-method ) on the /BeerRecipies/* resources.

also -

one web.xml can have many <security-contraint> sections. Each giving contrained access to some users, by using a combination of url-elements and http-method elements. the auth-constraint of each <security-constraint> section, contains user list who have / dont have access to the resources in that <security-constrain> section.

hope it doesnt confuse people ... i am just trying recall...and everything i typed...i did it without seeing...except...i couldnt recall the <securiy-constraint> tag
 
Renu Radhika
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then I think the syntax of security-role is mentioned wrongly in study kit.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic