is it correct that the method of HttpServletRequest isUserInRole(String roleName) works like this in relation to the DD:
- first checks the DD for the <role-name> element of <security-role-ref> for a match - if it doesn't find the above match, it checks the <role-name> of <security-role> for a match - if it doesn't find a match in either case it returns false
- if it does find a match in either case but the user is not authenticated then it returns false - if it does find a match and the user is authenticated it returns true
I think this is corrcet from my understanding of the spec, but just to be sure can anyone confirm it is so.
"If no security-role-ref element matching a security-role element has been declared, the container must default to checking the role-name argument against the list of security-role elements for the web application."