This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Pourang, Both roles will evaluate to true in request.isUserInRole("role-link-role"); request.isUserInRole("role-name-role"); Basically, the role specified in the <role-name> element is defining an alias for the actual role specified in the <role-link> element and its associated <security-role> element. As such, your servlet recognizes the authenticated user as being in both the actual role from <role-link> and the alias role in <role-name>. This is useful because if you deploy the servlet classes without the source code and explicitly hard-code a role name in the servlet source, the <security-role-ref> element allows you to map this internal hard-coded role as an alias to an actual role defined with a <security-role> element. e.g. With web.xml as: <web-app> <servlet> <servlet-name>myServlet</servlet-name> <servlet-class>MyServlet</servlet-class> <security-role-ref> <role-name>aliasRole</role-name> <role-link>actualRole</role-link> </security-role-ref> </servlet> <servlet-mapping> <servlet-name>myServlet</servlet-name> <url-pattern>/myServlet</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>myServlet Setup</web-resource-name> <url-pattern>/myServlet</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>actualRole</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>actualRole</role-name> </security-role> </web-app> MyServlet will evaluate both of the following to true: request.isUserInRole("aliasRole"); request.isUserInRole("actualRole"); However, if you are deploying without the source, the deployment team(s) in the field may not use the same actual role names in their environment(s) as you have hard-coded so you should just document the hard-coded role name used in the servlet and not worry about using the actual role in the servlet source even though your servlet will recognize either as valid for an authenticated user. Bob Kerfoot
Joined: Oct 01, 2000
[ August 08, 2003: Message edited by: Bob Kerfoot ]