This week's book giveaway is in the OCAJP forum. We're giving away four copies of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) and have Khalid A Mughal & Rolf W Rasmussen on-line! See this thread for details.
1. what is the difference between the <security-role-ref> and <security-role>?
posted 9 years ago
I believe <security-role> is used for defining the roles in your web app, and is used by the container to map its roles to those in your DD.
<security-role-ref> on the other hand is where declarative programmatic security has been used. If request.isUserInRole("Boss") has been used, but your app has no declaration of a 'Boss' role because you have used 'Manager', you can use <security-role-ref> to tell the container that 'Boss' means 'Manager'.
Open to corrections on this one as I'm learning too!