isUserInRole() doubt

Dear friends,

Can the isUserInRole() method return "true" even when its argument is NOT defined as a valid role name in the deployment descriptor?


Regards,
Vijay

No. That would be a security problem otherwise.

<web-app>
................
<security-role-ref>
<role-name>BOSS</role-name> <-- This is hard coded in the servlet code.
<role-link>manager</role-link> <-- This is the name that is defined in the <security-role> element.
</security-role-ref>
...............
</web-app>

============

isUserInRole("BOSS")

this methods would you call in the servlet to check whether the requesting user belongs to "manager" role or not

just add on to this thread,
IS this method isUserInRole() can be used only in doPost() ot doGet() methods, OR we can use it anywhere in the entire servlet??

Poonam Agarwal wrote:IS this method isUserInRole() can be used only in doPost() ot doGet() methods, OR we can use it anywhere in the entire servlet??

It's not a static method, so you need an object instance to invoke it on. Do you know which class this method belongs to, and thus what kind of object is needed?

Ulf Dittmer wrote:

It's not a static method, so you need an object instance to invoke it on. Do you know which class this method belongs to, and thus what kind of object is needed?

Yes Ulf, it is declared in the HttpServletRequest inferface public boolean isUserInRole(java.lang.String role), so i guess we can use this method in the any of the doxxx() methods plus in the service method also.

Please correct me if I am wrong

Thank you all very much for the replies and the discussions...


Regards,
Vijay