is it correct that the method of HttpServletRequest isUserInRole(String roleName) works like this in relation to the DD:
- first checks the DD for the <role-name> element of <security-role-ref> for a match - if it doesn't find the above match, it checks the <role-name> of <security-role> for a match - if it doesn't find a match in either case it returns false
- if it does find a match in either case but the user is not authenticated then it returns false - if it does find a match and the user is authenticated it returns true
I think this is corrcet from my understanding of the spec, but just to be sure can anyone confirm it is so.
- if it doesn't find the above match, it checks the <role-name> of <security-role> for a match
I think the second line which you have written is not correct.
According to my understanding about this...it only checks <security-role-ref> and if doesn't find a match it returns false..
SCJP 1.4, SCWCD 1.4
Joined: Aug 18, 2004
The Servlet Spec says 12.3
"If no security-role-ref element matching a security-role element has been declared, the container must default to checking the role-name argument against the list of security-role elements for the web application."