Lucas Smith wrote:I would like to ask why this tag is a child of <servlet> but not of <web-app...>.
Is there any deeper reason?
We use a <security-role-ref> where roles of a servlet may appear the same as web app's (Admin is in both) but they may be having different meaning.
eg. servlet - admin - administrative role
web-app - admin - lesser access role
- administrator - administrative role --> this must be mapped to admin in <security-role-ref> so the web app understands what servlet means.
this way you dont have to recode that other developer created servlet every time you use it in your web app