• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

role-link

 
Jan Sterk
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Snippet from Enthuware:


b is given as incorrect, stating
"... If the servlet code uses the name given in the <role-link> element, it might work but is not guaranteed to work."

Is this true? When will it not work?
 
Joy Mukherjee
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is from the spec
The isUserInRole method expects a String user role-name parameter. A
security-role-ref element should be declared in the deployment descriptor
with a role-name sub-element containing the rolename to be passed to the
method. A security-role element should contain a role-link sub-element
whose value is the name of the security role that the user may be mapped into. The
container uses the mapping of security-role-ref to security-role when
determining the return value of the call.
For example, to map the security role reference "FOO" to the security role
with role-name "manager" the syntax would be:
<security-role-ref>
<role-name>FOO</role-name>
<role-link>manager</role-link>
</security-role-ref>
In this case if the servlet called by a user belonging to the "manager" security
role made the API call isUserInRole("FOO") the result would be true.
If no security-role-ref element matching a security-role element has
been declared, the container must default to checking the role-name element
argument against the list of security-role elements for the web application. The
isUserInRole method references the list to determine whether the caller is
mapped to a security role. The developer must be aware that the use of this default
mechanism may limit the flexibility in changing rolenames in the application
without having to recompile the servlet making the call.
 
Jan Sterk
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah thanks, I also read that. I think that
... If no security-role-ref element matching a security-role element has
been declared, the container must default to checking the role-name element
argument against the list of security-role elements for the web application. The
isUserInRole method references the list to determine whether the caller is
mapped to a security role. ...


implies that in the above question, using 'supervisor' in isUserInRole is OK & legal.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic