aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Hi, some questions on web app security.... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Hi, some questions on web app security...." Watch "Hi, some questions on web app security...." New topic
Author

Hi, some questions on web app security....

Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi, I have some questions on web app security:
1. Inside the web.xml file, there is only one <web-app> ...</web-app> combo?
2. <servlet-role-ref>...</servlet-role-ref> and <security-role>...</security-role> are both under <web-app> ?
3. Looking at this statement:
"When a role-name is used in code(isUserInRole()) the container looks for it in the security-role-ref block first. If the same role-name exists in the real security-role block, the role-name declared in security-role-ref wins."

I don't understand what does it win? If possible, can you provide an example?
Thanks a million,
Carmen
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

There is no Servlet-role-ref element in DD. It should be security-role-ref.

This Thread my useful to you.

Thanks


Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0
Ganesh Sundaresan
Ranch Hand

Joined: Feb 09, 2006
Posts: 36
Hi,

Suppose u have in ur DD

<security-role-ref>
<role-name>Admin</role-name>
<role-link>Manager</role-link>
</security-role-ref>

<security-role>
<role-name>Admin</role-name>
/security-role>

and ur servlet code has :
if (req.isUserInRole("Admin")) {
-- Perform some operations ---
}

This if block internally/logically will only excute for Manager role
and NOT Admin role. In this case the word Admin is treated only like a string and not role as Admin is actually Manager according to <security-role-ref> even though there is a separate Admin role like this
<security-role>
<role-name>Admin</role-name>
</security-role>

This is where <security-role-ref> wins over <security-role>

Hope this makes Sense and Helps.


Thanks, Ganesh
SJCP (95%), SCWCD (75%), SCDJWS (Planning to take....)
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

Yes you are right. But the following additional entry is required in web.xml to work the logic.

<security-role>
<role-name>Manager</role-name>
</security-role>

as teh role-link element refer the role name introduced by <security-role> element.

Thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Hi, some questions on web app security....