File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes role-link and role-name elements? Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Reply Bookmark "role-link and role-name elements?" Watch "role-link and role-name elements?" New topic
Author

role-link and role-name elements?

Pourang Emami
Ranch Hand

Joined: Sep 21, 2002
Posts: 127
posted private message
0
Quote
I am wondering Which one is the one whoes value appears in the code?
I have seen two contradictory usages in two different books(Dushmukh and Wrox).
Thank you for your reply.
Best Rgards,
Pourang

Best Regards,<br />Pourang Emami
Bob Kerfoot
Ranch Hand

Joined: Oct 01, 2000
Posts: 47
posted
0
Quote
Pourang,
Both roles will evaluate to true in
request.isUserInRole("role-link-role");
request.isUserInRole("role-name-role");
Basically, the role specified in the <role-name> element is defining an alias for the actual role specified in the <role-link> element and its associated <security-role> element. As such, your servlet recognizes the authenticated user as being in both the actual role from <role-link> and the alias role in <role-name>. This is useful because if you deploy the servlet classes without the source code and explicitly hard-code a role name in the servlet source, the <security-role-ref> element allows you to map this internal hard-coded role as an alias to an actual role defined with a <security-role> element.
e.g.
With web.xml as:
<web-app>
<servlet>
<servlet-name>myServlet</servlet-name>
<servlet-class>MyServlet</servlet-class>
<security-role-ref>
<role-name>aliasRole</role-name>
<role-link>actualRole</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>myServlet</servlet-name>
<url-pattern>/myServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>myServlet Setup</web-resource-name>
<url-pattern>/myServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>actualRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>actualRole</role-name>
</security-role>
</web-app>
MyServlet will evaluate both of the following to true:
request.isUserInRole("aliasRole");
request.isUserInRole("actualRole");
However, if you are deploying without the source, the deployment team(s) in the field may not use the same actual role names in their environment(s) as you have hard-coded so you should just document the hard-coded role name used in the servlet and not worry about using the actual role in the servlet source even though your servlet will recognize either as valid for an authenticated user.
Bob Kerfoot
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: role-link and role-name elements?
 
Similar Threads
role name in servelt element
[ ClassDiagram ] How to represent defaults
Is HFSJ error?
isUserInRole() doubt
Programmatic Security