This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes role-link and role-name elements? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "role-link and role-name elements?" Watch "role-link and role-name elements?" New topic
Author

role-link and role-name elements?

Pourang Emami
Ranch Hand

Joined: Sep 21, 2002
Posts: 127
I am wondering Which one is the one whoes value appears in the code?
I have seen two contradictory ussages in two different books.
Thank you for your reply.
Best Rgards,
Pourang


Best Regards,<br />Pourang Emami
Bob Kerfoot
Ranch Hand

Joined: Oct 01, 2000
Posts: 47
Pourang,
Both roles will evaluate to true in
request.isUserInRole("role-link-role");
request.isUserInRole("role-name-role");
Basically, the role specified in the <role-name> element is defining an alias for the actual role specified in the <role-link> element and its associated <security-role> element. As such, your servlet recognizes the authenticated user as being in both the actual role from <role-link> and the alias role in <role-name>. This is useful because if you deploy the servlet classes without the source code and explicitly hard-code a role name in the servlet source, the <security-role-ref> element allows you to map this internal hard-coded role as an alias to an actual role defined with a <security-role> element.
e.g.
With web.xml as:
<web-app>
<servlet>
<servlet-name>myServlet</servlet-name>
<servlet-class>MyServlet</servlet-class>
<security-role-ref>
<role-name>aliasRole</role-name>
<role-link>actualRole</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>myServlet</servlet-name>
<url-pattern>/myServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>myServlet Setup</web-resource-name>
<url-pattern>/myServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>actualRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>actualRole</role-name>
</security-role>
</web-app>
MyServlet will evaluate both of the following to true:
request.isUserInRole("aliasRole");
request.isUserInRole("actualRole");
However, if you are deploying without the source, the deployment team(s) in the field may not use the same actual role names in their environment(s) as you have hard-coded so you should just document the hard-coded role name used in the servlet and not worry about using the actual role in the servlet source even though your servlet will recognize either as valid for an authenticated user.
Bob Kerfoot
Bob Kerfoot
Ranch Hand

Joined: Oct 01, 2000
Posts: 47

[ August 08, 2003: Message edited by: Bob Kerfoot ]
 
Consider Paul's rocket mass heater.
 
subject: role-link and role-name elements?
 
Similar Threads
[ ClassDiagram ] How to represent defaults
Programmatic Security
isUserInRole() doubt
role name in servelt element
Is HFSJ error?