Similarly, you can use
security-role-ref to say that isUserInRole("meanie") should return true
for the same users that isUserInRole("meanSpirited") would.
Listing 4.1 shows a deployment descriptor that accomplishes both of these tasks.
Listing 4.1 web.xml (Excerpt illustrating security role aliases)
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
4.2 Example: Combining Container-Managed and Programmatic Security 183
4.2 Example: Combining
Container-Managed and
Programmatic Security
Listing 4.2 presents a JSP page that augments the internal Web site for
hot-dot-com.com that was introduced in Section 3.4 (Example: BASIC Authentication).
The page shows plans for employee pay. Because of entries in web.xml (Listing
4.3), the page can be accessed only by users in the employee or executive roles.
Although both groups can access the page, they see substantially different results. In
particular, the planned pay scales for executives are hidden from the normal employees.
Figure 4??“1 shows the page when it is accessed by user gates or ellison (both
in the employee role; see Listing 3.25). Figure 4??“2 shows the page when it is
accessed by user mcnealy (in the executive role).
Pages:
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231