Thanks Marcus Green, i got my second questions asnswer from you.
Manikandan Jayaraman, I will try to make my first question clear.
My point is
We don't have to use the tag
<security-role> in web.xml file for security.We have to specify only role name in <auth-constraint> tag.It will directly check the roles from
tomcat-users.xml.
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginpage.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Security for BeerSelect class</web-resource-name>
<url-pattern>/SelectBeer.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>king</role-name>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
If that so
my doubt is...
Why we are using <security-role> tag and <security-role-ref> tag together.
like
<servlet>
<security-role-ref>
<role-name>Manager</role-name>
<role-link>Admin</role-link>
</security-role-ref>
</servlet>
<security-role>
<role-name>Admin</role-name>
</security-role>
The <role-link> tag inside the <security-role-ref> tag is enough to link the role name
Manager with the actual role
admin in tomcat-users.xml.