tomcat & role1 are the actual roles defined in tomcat-users.xml..where as Admin & Manager are just the logical names given by you for these role names.Tomcat will make a mapping when u give a logical name for any role..but it'll consider only the actual or real names configured in tomcat-users.xml.
Joined: Oct 02, 2002
Agree with what you have said.
My question is, if there is a mapping (through)
then why doesn't the logical name (Admin) be recognized in the Servlet ?
Unless i explicitly, specify the roles in tomcat ("tomcat", "role1"), the if condition fails. But if i can specify it explicitly, there is no case of mapping between logical and actual roles.
My question is regarding the "mapping" - that doesnt seem to be taking place. If Container would recognize only the roles mentioned in tomcat-users.xml would
work at all ? It works as per HFSJ. For me it doesnt seem to be. Not sure what i am missing here.
I think there is mistake in DD entries. The <security-role-ref> sub-entry must go under <servlet> .... </servlet> entries. The role references are not for whole application , these are for particular servlet defination.
Im basically not getting the whole picture of ur ques..but let me explain to you what i understood..This <security-role-ref> stuff is similar to the <servlet>.Both elements are used for mapping an actual element to some logical name we prefer.Would like to mention the <servlet-name> present under <servlet> is just a logical name & can only be used in web.xml & nowhere outside.
To be more clear lets split ppl involved in web development into 2 categories..
1 . Developer group : will develop servlets,modify tomcat-users.xml & web.xml
2. Deployer group : Assume they are allowed to modify only web.xml..may be tomcat-users.xml if needed.but they dont have rights to modify code for servlets.
Now considering the above scenario how will the developer know(while developing servlets) what roles the deployer will map to the actual roles available?.Situations may go worse if both group belong to 2 different companies!!.Therefore only actual roles will be considered in the servlet code which is executed by the container.There is nothing to do with the mapping provided by the deployer to the servlet code which is already developed.If we think it logically it'll make sense.
Administrator in one company may be called as Manager in another company.It varies with company rules.Here developer should take care about identifying roles(generic) in the company..where as deployer is allow to map these roles(actual) with their own roles(logical)(in web.xml) according to their business rules.Hope it helps..
Revert for further clarifications!!.
Joined: Dec 04, 2004
Let me some more clarifications what I understand.
Suppose we have one servlet MyServlet which is constarints using security mechnism. The web.xml is similar to
Now, we relize that the MyServlet is using some programatic security in the codes and using different roles other than tomcat and role1. i.e. Admin role is equivalent to tomcat and Manager is equivalent to role1. But our tomcat-users.xml defined only tomcat and role1. so you have to map the roles in the <servlet>.