This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Authorisation doubt from hfsj ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Authorisation doubt from hfsj ?" Watch "Authorisation doubt from hfsj ?" New topic

Authorisation doubt from hfsj ?

gurpeet singh
Ranch Hand

Joined: Apr 04, 2012
Posts: 924

please refer page 664 of hfsj 2nd edition. the topic is regarding Authorisation. following is an excerpt from the book

The most common form of authorization in servlets is for the container
to determine whether a specific servlet—and the invoking HTTP request
method—can be called by a user who has been assigned a certain
security “role”. So the first step is to map the roles in the vendor-specific
“users” file to roles established in the Deployment Descriptor.

i couldnt understand why there should be a mapping between roles defined in vendor specific file to roles in DD ? why cant there by just one file, either vendor specific of DD ? also what does mapping do/how it is accomplished?
Frits Walraven
Creator of Enthuware JWS+ V6

Joined: Apr 07, 2010
Posts: 1624

Hi Gurpeet Singh,

i couldnt understand why there should be a mapping between roles defined in vendor specific file to roles in DD ?

The Servlet 3.0 specs don't specifiy how a specific user (or Principal) should be mapped onto a logical "role". This is vendor specific and therefore not part of the web.xml.

In Tomcat you can map a user to a role in the tomcat-users.xml file:
In other Application servers the file might be in another place and have another name.

The Tomcat ApplicationServer reads the tomcat-users.xml file when starting up. If you login into your web-application with the correct username and password (e.g. Jan, janjan) the web-application will know that Jan is in the logical "role" of readers and will allow everything that readers are allowed to do (and disallow everything that writers are allowed to do).

I agree. Here's the link:
subject: Authorisation doubt from hfsj ?
Similar Threads
Need security examples
Mapping vendor-specific roles to DD specific role names
Query:About RolesAllowed annotation
DD: Vendor-specific configuration
DD vendor specific