Web.xml security

Below is the security declaration from my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>prefix-get-manager</web-resource-name>
<url-pattern>/ManagerApplication/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

Now as soon as the user login, i authenticate the user, and he is a valid user, now i want the user to access "ManagerApplication", so how do the web application know that the user role is "manager" ? Do i need to put the "role" (manager) into session ? if i should then what should session variable name?
Any help is appreciated, thanks
Hari

I believe you should be able to check the isUserInRole("manager") method from the HttpServletRequest object.
HttpServletRequest
public boolean isUserInRole(String role)

What do you think.
Cj

Originally posted by cj jack:
I believe you should be able to check the isUserInRole("manager") method from the HttpServletRequest object.
HttpServletRequest
public boolean isUserInRole(String role)

What do you think.
Cj

Hi,
To check whether the user is "Manager", I can use isUserInRole(String role), But my question is who will put that role, its me programmer has to do that explicitly or its done in the web container. If i have to that explicity when and where do i need to specify the "Manager" role?

This changes from server to server and also depends on the mechanism you are using to authenticate.
Essentially you need to say: 1) here is how to turn a string into a unique user name 2) here is how to turn a string into a unique group name 3) here is how to find if a member is in a group.
For example, I used Tomcat4 with the user and group details kept in a SecureWay LDAP database.
In the conf/server.properties file, the LDAP connection is set up like this:
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="cn=user" connectionPassword="password" connectionURL="ldap://ldapserver:389" debug="99" roleBase="o=organisation,dc=com,c=au" roleName="cn" roleSearch="(|(uniqueMember={0})(member={0}))" roleSubtree="true" userBase="o=organisation,dc=com.au,c=au" userPattern="cn={0},o=organisation,dc=com.au,c=au" userPassword="userpassword" />
This sets things up so that when a user puts in the name 'BOB', it gets turned into 'cn=BOB,o=organisation,dc=com.au,c=au' to pull the user out of LDAP. The password is checked against the 'userpassword' attribute.
When a user logs in and their details are loaded, (typically) the server will also load their roles at the same time.
Now we can give the short answer to your question: It is he application server that sets up the isUserInRole data, and this data is read-only.
Dave