On Thu, 27 Feb 2003, Donald Ball wrote:
> Date: Thu, 27 Feb 2003 12:26:38 -0500 > From: Donald Ball <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: realm getRole() method ? > > On 2/27/2003 at 5:07 PM laurent marot wrote: > > >thanks but this method just allows checking if user match a role, i'd like > >to get a method to discover the role. > > There is no such facility in the servlet api. Given a user, there is no way > to get a list of roles to which the user belongs. I too find this a > distressing limitation in using container managed security. In some complex security scenarios, it is not always possible for a container to articulate all possible roles that a user can be a member of. > Best you can do > is iterate over the list of role names and see which ones to which the user > belongs, which of course doesn't help you if you don't have such a list. > Tomcat doesn't enforce this restriction, but the J2EE specs say that an app must list all the roles it uses (either in security constraints or via programmatic lookups) in <security-role> elements in the web.xml file. If you did this, you could parse "/WEB-INF/web.xml" and identify the list. You might also note that there is a facility for role aliasing present here, using the <security-role-ref> element. This lets you program an app that uses one name for a particular role, but the underlying Realm uses some different name for it. > - donald Craig McCLanahan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
