Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Hi, some questions on web app security....

 
Carmen Brianick
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I have some questions on web app security:
1. Inside the web.xml file, there is only one <web-app> ...</web-app> combo?
2. <servlet-role-ref>...</servlet-role-ref> and <security-role>...</security-role> are both under <web-app> ?
3. Looking at this statement:
"When a role-name is used in code(isUserInRole()) the container looks for it in the security-role-ref block first. If the same role-name exists in the real security-role block, the role-name declared in security-role-ref wins."

I don't understand what does it win? If possible, can you provide an example?
Thanks a million,
Carmen
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

There is no Servlet-role-ref element in DD. It should be security-role-ref.

This Thread my useful to you.

Thanks
 
Ganesh Sundaresan
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Suppose u have in ur DD

<security-role-ref>
<role-name>Admin</role-name>
<role-link>Manager</role-link>
</security-role-ref>

<security-role>
<role-name>Admin</role-name>
/security-role>

and ur servlet code has :
if (req.isUserInRole("Admin")) {
-- Perform some operations ---
}

This if block internally/logically will only excute for Manager role
and NOT Admin role. In this case the word Admin is treated only like a string and not role as Admin is actually Manager according to <security-role-ref> even though there is a separate Admin role like this
<security-role>
<role-name>Admin</role-name>
</security-role>

This is where <security-role-ref> wins over <security-role>

Hope this makes Sense and Helps.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Yes you are right. But the following additional entry is required in web.xml to work the logic.

<security-role>
<role-name>Manager</role-name>
</security-role>

as teh role-link element refer the role name introduced by <security-role> element.

Thanks
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic