Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

The Order of the security-role Element in DTD

 
JiaPei Jen
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the Servlet 2.3 Specification, p. 91, the <security-role> element is placed after the <login-config>:
<!ELEMENT web-app (icon?, display-name?, description?,
distributable?, context-param*, filter*, filter-mapping*,
listener*, servlet*, servlet-mapping*, session-config?, mime-
mapping*, welcome-file-list?, error-page*, taglib*, resource-
env-ref*, resource-ref*, security-constraint*, login-config?,
security-role*, env-entry*, ejb-ref*, ejb-local-ref*)>
however, there is an example in p. 118 showing that the <security-role> element is placed before the <servlet> element:
<web-app>
<display-name>A Secure Application</display-name>
<security-role>
<role-name>manager</role-name>
</security-role>
<servlet>
<servlet-name>catalog</servlet-name>
<servlet-class>com.mycorp.CatalogServlet
</servlet-class>
<init-param>
<param-name>catalog</param-name>
<param-value>Spring</param-value>
</init-param>
<security-role-ref>
<role-name>MGR</role-name>
<!-- role name used in code -->
<role-link>manager</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>catalog</servlet-name>
<url-pattern>/catalog/*</url-pattern>
</servlet-mapping>
...
...
...
</web-app>
Does the order of the <security-role> matter?
 
Carl Trusiak
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nice catch, you need to send a feedpack to Sun at servletapi-feedback@eng.sun.com
The order must follow the DTD. I tried to run Tomcat 4.0 with that example and get:

PARSE error at line 7 column -1
org.xml.sax.SAXParseException: Element "web-app" does not allow "servlet" here.
Starting service Tomcat-Apache
Apache Tomcat/4.0-b7

When it starts up.
Carl
[This message has been edited by Carl Trusiak (edited September 27, 2001).]
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by JiaPei Jen:
Does the order of the <security-role> matter?

Simple answer -- yes, that's what the DTD says, however some servers are less strict in enforcing this. Tomcat is not one of them
 
Praveena Surapaneni
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
I have gone thru the servlet specs and noticed the DD you have mentioned. For me its seems Right. This is how I explain. <security-role-ref> is a property of servlet tag and to define a
<security-role-ref> we need to define the <role-name> and <role-link> tags out of which <role-name> should be in accordance with that of <security-role>'s <role-name> already defined in a DD. Thats the reason why we should define <security-role> before hand.
Also I didn't notice anything in specs which indicate the order of these tags. If anyone had please point it out for me.
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Praveena Surapaneni:
Also I didn't notice anything in specs which indicate the order of these tags. If anyone had please point it out for me.

The servlet spec contains the DTD for the deployment descriptor. The DTD specifies the elements that can occur in the deployment descriptor, how those elements are made up, whether they are optional etc, and the order that they can appear. That is what the ELEMENT definitions mean.
To quote the W3C:
content particles occurring in a sequence list must each appear in the element content in the order given in the list.



[This message has been edited by Tim Duncan (edited September 28, 2001).]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic