This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes Servlets and the fly likes role-link and role-name elements? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "role-link and role-name elements?" Watch "role-link and role-name elements?" New topic
Author

role-link and role-name elements?

Pourang Emami
Ranch Hand

Joined: Sep 21, 2002
Posts: 127
I am wondering Which one is the one whoes value appears in the code?
I have seen two contradictory ussages in two different books.
Thank you for your reply.
Best Rgards,
Pourang


Best Regards,<br />Pourang Emami
Bob Kerfoot
Ranch Hand

Joined: Oct 01, 2000
Posts: 47
Pourang,
Both roles will evaluate to true in
request.isUserInRole("role-link-role");
request.isUserInRole("role-name-role");
Basically, the role specified in the <role-name> element is defining an alias for the actual role specified in the <role-link> element and its associated <security-role> element. As such, your servlet recognizes the authenticated user as being in both the actual role from <role-link> and the alias role in <role-name>. This is useful because if you deploy the servlet classes without the source code and explicitly hard-code a role name in the servlet source, the <security-role-ref> element allows you to map this internal hard-coded role as an alias to an actual role defined with a <security-role> element.
e.g.
With web.xml as:
<web-app>
<servlet>
<servlet-name>myServlet</servlet-name>
<servlet-class>MyServlet</servlet-class>
<security-role-ref>
<role-name>aliasRole</role-name>
<role-link>actualRole</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>myServlet</servlet-name>
<url-pattern>/myServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>myServlet Setup</web-resource-name>
<url-pattern>/myServlet</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>actualRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>actualRole</role-name>
</security-role>
</web-app>
MyServlet will evaluate both of the following to true:
request.isUserInRole("aliasRole");
request.isUserInRole("actualRole");
However, if you are deploying without the source, the deployment team(s) in the field may not use the same actual role names in their environment(s) as you have hard-coded so you should just document the hard-coded role name used in the servlet and not worry about using the actual role in the servlet source even though your servlet will recognize either as valid for an authenticated user.
Bob Kerfoot
Bob Kerfoot
Ranch Hand

Joined: Oct 01, 2000
Posts: 47

[ August 08, 2003: Message edited by: Bob Kerfoot ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: role-link and role-name elements?