Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security-role tag confusion : need clarification

 
Sreeraj G Harilal
Ranch Hand
Posts: 310
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can any one explain what is the use of <security-role> in web.xml.
I have a couple of doubts.

1) If we can set security constraint to a resource without typing <security-role> in web.xml, then why don't we use <security-role-ref> tag without specifying [B]<security-role> in web.xml.

2) Why we are NOT using <security-role-ref> out side <servlet> tag.
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please explain your first question clearly!

As far as the second question is concerned ...

The security-role-ref is valid inside the servlet tag only because that is the only relevant place. It helps in code reusability.

Say suppose you want to use a servlet which is written for some other application. The role names of that application might be different from your application. 'manager' role of your app. might be same as 'admin' role of another application.

To reuse the same code, without any code changes (you might be gien just the class file by other appliation's owner), you use this element.

role-name defines which role of the servlet you want to map.
role-link refers to which role of your application to be linked to the servlet's role.
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All ... One Doubt ...

Should the role-name that we type under the auth-constraint of security-constraint MANDATORILY BE ONE OF THE ROLES MENTIONED IN THE security-role TAG?

If any role-name can be mentioned, then what is the consequence? How authorisation behaves?
 
Viji Elango
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The role-name in the auth-constraint specifies the role that can access the resources.
It can be * (which means all the roles defined in the web application), or it MUST be a name that is defined in the <security-role> element of the deployment descriptor.

Regards,
Viji.
 
Viji Elango
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To allow flexibility in defining the roles at deployment time, the servlet
developer must convey the hard-coded values to the deployer.

The deployer then maps these hard-coded values to the actual role values that are used in the deployment environment.

The servlet developer will define the roles under <security-role-ref> for the <servlet> which will have a link to <role-name> which the deployer has given in the <security-role>.

Hope this helps.

Regards,
Viji.
 
Marcus Green
arch rival
Rancher
Posts: 2813
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my course I describe the use of this tag as follows

"One of the problems with programmatic security is that there is an implication that the role names must be embedded within the java code, which is generally not considered a good thing. The <security-role-ref> tag allows you to get around this, by allowing the creation of aliases for roles. In fact it might have made sense for this tag to have been named <security-role-alias>."
 
Sreeraj G Harilal
Ranch Hand
Posts: 310
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Marcus Green, i got my second questions asnswer from you.

Manikandan Jayaraman, I will try to make my first question clear.

My point is
We don't have to use the tag <security-role> in web.xml file for security.We have to specify only role name in <auth-constraint> tag.It will directly check the roles from tomcat-users.xml.


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginpage.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>

<security-constraint>

<web-resource-collection>
<web-resource-name>Security for BeerSelect class</web-resource-name>
<url-pattern>/SelectBeer.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>king</role-name>
<role-name>tomcat</role-name>
</auth-constraint>

</security-constraint>


If that so
my doubt is...
Why we are using <security-role> tag and <security-role-ref> tag together.
like

<servlet>
<security-role-ref>
<role-name>Manager</role-name>
<role-link>Admin</role-link>
</security-role-ref>
</servlet>

<security-role>
<role-name>Admin</role-name>
</security-role>



The <role-link> tag inside the <security-role-ref> tag is enough to link the role name Manager with the actual role admin in tomcat-users.xml.
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat is a container implementation. J2EE with Servlet 2.4 and JSP 2.0 is a specification. Specification should be generic across implementations. Hope you understood this point. Having said this ...

Consider a container which doesn't have the means like tomcat to declare its roles. What will you do? You need some default means to do the mapping between role-name and role-link right?

Relying on tomcat (or any container), makes your application vendor depenedent. Hope I answered you.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic