Lucas Smith wrote:I would like to ask why this tag is a child of <servlet> but not of <web-app...>.
Is there any deeper reason?
We use a <security-role-ref> where roles of a servlet may appear the same as web app's (Admin is in both) but they may be having different meaning.
eg. servlet - admin - administrative role
web-app - admin - lesser access role
- administrator - administrative role --> this must be mapped to admin in <security-role-ref> so the web app understands what servlet means.
this way you dont have to recode that other developer created servlet every time you use it in your web app
Lucas Smith wrote:I do not understand it to the end. Why <security-role-ref> is not a child of <web-app...>?
because Its used for mapping a Specific servlets (developed buy a developer that is not from your company which has given different role name or same role names with different meaning ) role to your web app's roles.
You are supposed to put <security-role> tag for each security role you want to access in your application. If a container is allowing you to use roles not defined in web.xml, then its container specific and not guaranteed in the spec...