aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes <security-role-ref> Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "<security-role-ref>" Watch "<security-role-ref>" New topic
Author

<security-role-ref>

Lucas Smith
Ranch Hand

Joined: Apr 20, 2009
Posts: 804
    
    1

I would like to ask why this tag is a child of <servlet> but not of <web-app...>.
Is there any deeper reason?

And one more question:
Should we use:
<security-role></security-role> in web.xml?
I did not put it and everything works fine. Users' passwords are in tomcat-users.xml.


SCJP6, SCWCD5, OCE:EJBD6.
BLOG: http://leakfromjavaheap.blogspot.com
Kosala W.Abayagunawardene
Ranch Hand

Joined: Dec 15, 2007
Posts: 47

Lucas Smith wrote:I would like to ask why this tag is a child of <servlet> but not of <web-app...>.
Is there any deeper reason?



We use a <security-role-ref> where roles of a servlet may appear the same as web app's (Admin is in both) but they may be having different meaning.

eg. servlet - admin - administrative role
web-app - admin - lesser access role
- administrator - administrative role --> this must be mapped to admin in <security-role-ref> so the web app understands what servlet means.


this way you dont have to recode that other developer created servlet every time you use it in your web app


[SCJP] ::[SCWCD]::[BCS::BIT::SCBCD] - Studying[My Blog]
Lucas Smith
Ranch Hand

Joined: Apr 20, 2009
Posts: 804
    
    1

I do not understand it to the end. Why <security-role-ref> is not a child of <web-app...>?
Kosala W.Abayagunawardene
Ranch Hand

Joined: Dec 15, 2007
Posts: 47

Lucas Smith wrote:I do not understand it to the end. Why <security-role-ref> is not a child of <web-app...>?


because Its used for mapping a Specific servlets (developed buy a developer that is not from your company which has given different role name or same role names with different meaning ) role to your web app's roles.
Lucas Smith
Ranch Hand

Joined: Apr 20, 2009
Posts: 804
    
    1

OK, thanks.

And one more question:
Should we use:
<security-role></security-role> in web.xml?
I did not put it and everything works fine. Users' passwords are in tomcat-users.xml.
Lucas Smith
Ranch Hand

Joined: Apr 20, 2009
Posts: 804
    
    1

Anyone?
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9280
    
  17

You are supposed to put <security-role> tag for each security role you want to access in your application. If a container is allowing you to use roles not defined in web.xml, then its container specific and not guaranteed in the spec...


SCJP 6 | SCWCD 5 | Javaranch SCJP FAQ | SCWCD Links
Lucas Smith
Ranch Hand

Joined: Apr 20, 2009
Posts: 804
    
    1

OK, thanks.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: <security-role-ref>
 
Similar Threads
Contradiction in servlet spec
Trouble Shooting Deployment
Problem While Enabling Authentication
isUserInRole() doubt
he doesn't ask for authenticate