> From: Mike Keller [mailto:[EMAIL PROTECTED] > Subject: Re: Understanding of the security-role tag in the web.xml > > I have looked at the section 12 specifically 12.3 and 12.4 > but I must be missing something.
Really have to read the whole section plus other bits and pieces of the spec to get a handle on what's going on. Also useful to look at the various web.xml files that come with Tomcat's pre-packaged apps. > I don't understand how the <security-role> tag is use full when you > are already restricting a resource through the <auth-constraint>. The <security-role> element is used for programmatic (app managed) authentication and access control, not declarative (container managed) authentication. As you surmised, it's the <auth-constraint> element of <security-constraint> that describes container-managed authentication. You may use neither, either, or both declarative and programmatic security for any given app. > Is this meant simply to give a less abstract name to a role? That's what the <role-link> element does within <security-role-ref>. It allows you to specify the role name coded into the app via the <role-name> element, and have it translated to the actual role name used by the container's security environment with <role-link>. Note that there's an error on page 91 of the 2.4 version of the spec: the sentence near the middle of the page that starts with "A security-role element should contain a role-link sub-element..." should be referring to a security-role-ref element; this has been corrected in the draft 2.5 spec. > Also is there another way to pragmatically restrict other than > isUserInRole(). I don't get how I am not being authorized when there > doesn't seem to be any code in place to check this? Pragmatically or programatically? When the spec talks about programmatic security, it's referring to what APIs a web app may use, not what a container (Tomcat) can use. The container must expose the APIs for app use, but may use any means necessary to internally manage security. What's pragmatic is pretty much dependent on how much time you have on your hands. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]