1
(Form-Based Authentication). However, you also add code to some of your resources
to customize their behavior based on who is accessing them.
Security Role References
The security-role-ref subelement of servlet lets you define servlet-specific
synonyms for existing role names. This element should contain three possible
subelements: description (optional descriptive text), role-name (the new synonym),
and role-link (the existing security role).
For instance, suppose that you are creating an online bookstore and your server??™s
user information store (e.g., Tomcat lets you use a password file as we describe in
Section 3.1) stipulates that user rowling is in role author. However, you want to
reuse a servlet of type BookInfo (in the catalog package) that was created elsewhere.
The problem is that this servlet calls the role writer, not author. Rather
than modifying the user information store, you can use security-role-ref to
provide writer as an alias for author.
Suppose further that you have a servlet of class EmployeeData (in the hr package)
that provides one type of information to a goodguy and another type to a meanie.
You want to use this servlet with the password file (i.e., Tomcat??™s specific user information
store) defined in Listing 3.1 that assigns users to the nobleSpirited and mean-
Spirited roles. To accomplish this task, you can use security-role-ref to say
that isUserInRole("goodguy") should return true for the same users that
isUserInRole("nobleSpirited") already would.
Pages:
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230