Win a copy of The Business Blockchain this week in the Cloud forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security-role-ref of Servlet element?

 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Guys,

What is the use of having a security-role-ref in <servlet> tag?
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A servlet programmer may not know real role names. He can use aliases instead, which he declares in the security-role-ref element of the servlet.
For example, let's say you have the following :


He will then use isUserInRole("FOO") to check if the user is a manager.
The real role name (manager) can be changed in the deployment descriptor, without recompiling java classes, because the alias (FOO) does not change.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Satou, but as a servlet author, how do I actually know that there ever exists a role called manager for me to configure my servlet tag's <security-role-ref>?
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So you may start coding with :

and make a real role, like in Tomcat's users file, called manager. And you're doing all your tests, everything is fine.
Then time comes to configure the real role names, those that are used at your client's server. Somebody else might change the name instead of you. If the real role is called "supermanager", he will just change your settings to :

And you don't have to worry about that, because you are using FOO, which will never change.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic