Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

role-link and role-name elements?

 
Pourang Emami
Ranch Hand
Posts: 127
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am wondering Which one is the one whoes value appears in the code?
I have seen two contradictory ussages in two different books.
Thank you for your reply.
Best Rgards,
Pourang
 
Bob Kerfoot
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pourang,
Both roles will evaluate to true in
request.isUserInRole("role-link-role");
request.isUserInRole("role-name-role");
Basically, the role specified in the <role-name> element is defining an alias for the actual role specified in the <role-link> element and its associated <security-role> element. As such, your servlet recognizes the authenticated user as being in both the actual role from <role-link> and the alias role in <role-name>. This is useful because if you deploy the servlet classes without the source code and explicitly hard-code a role name in the servlet source, the <security-role-ref> element allows you to map this internal hard-coded role as an alias to an actual role defined with a <security-role> element.
e.g.
With web.xml as:
<web-app>
<servlet>
<servlet-name>myServlet</servlet-name>
<servlet-class>MyServlet</servlet-class>
<security-role-ref>
<role-name>aliasRole</role-name>
<role-link>actualRole</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>myServlet</servlet-name>
<url-pattern>/myServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>myServlet Setup</web-resource-name>
<url-pattern>/myServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>actualRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>actualRole</role-name>
</security-role>
</web-app>
MyServlet will evaluate both of the following to true:
request.isUserInRole("aliasRole");
request.isUserInRole("actualRole");
However, if you are deploying without the source, the deployment team(s) in the field may not use the same actual role names in their environment(s) as you have hard-coded so you should just document the hard-coded role name used in the servlet and not worry about using the actual role in the servlet source even though your servlet will recognize either as valid for an authenticated user.
Bob Kerfoot
 
Bob Kerfoot
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

[ August 08, 2003: Message edited by: Bob Kerfoot ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic