• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Devaka Cooray
  • Ron McLeod
  • paul wheaton
Saloon Keepers:
  • Tim Moores
  • Piet Souris
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Frits Walraven
  • Scott Selikoff

Hi, some questions on web app security....

 
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I have some questions on web app security:
1. Inside the web.xml file, there is only one <web-app> ...</web-app> combo?
2. <servlet-role-ref>...</servlet-role-ref> and <security-role>...</security-role> are both under <web-app> ?
3. Looking at this statement:
"When a role-name is used in code(isUserInRole()) the container looks for it in the security-role-ref block first. If the same role-name exists in the real security-role block, the role-name declared in security-role-ref wins."

I don't understand what does it win? If possible, can you provide an example?
Thanks a million,
Carmen
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

There is no Servlet-role-ref element in DD. It should be security-role-ref.

This Thread my useful to you.

Thanks
 
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Suppose u have in ur DD

<security-role-ref>
<role-name>Admin</role-name>
<role-link>Manager</role-link>
</security-role-ref>

<security-role>
<role-name>Admin</role-name>
/security-role>

and ur servlet code has :
if (req.isUserInRole("Admin")) {
-- Perform some operations ---
}

This if block internally/logically will only excute for Manager role
and NOT Admin role. In this case the word Admin is treated only like a string and not role as Admin is actually Manager according to <security-role-ref> even though there is a separate Admin role like this
<security-role>
<role-name>Admin</role-name>
</security-role>

This is where <security-role-ref> wins over <security-role>

Hope this makes Sense and Helps.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Yes you are right. But the following additional entry is required in web.xml to work the logic.

<security-role>
<role-name>Manager</role-name>
</security-role>

as teh role-link element refer the role name introduced by <security-role> element.

Thanks
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic