Currently, Tomcat only checks against <security-role-ref> elements if there is a call to isUserInRole(). Prior to Servlet 3.0 this made sense. The person deploying the web application has control over web.xml and hence the security roles (those used in security constraints) but no control over application roles (those used by developers in Servlets with isUserInRole()) and therefore needed a mechanism to map the application roles to security roles.
This mechanism is usually used to map application roles to security roles that exist in an external authentication and authorisation system such as an LDAP directory. For example, the application role admin in the HR application may get mapped to the hr-manager role that exists in the LDAP directory. With Servlet 3.0 plugability features the picture changes a little. Now a fragment may define security constraints that use a security role that does not match the organisations security roles and can't be modified in the application's web.xml. For example, an HR application with two fragments may define a role "admin" in fragment A and "sysuser" in fragment B both of which need to be mapped to the "hr-manager" role. Oh, and just to throw a spanner in the works, if a Filter uses isUserInRole() there is no way to map the application role to a security role. I'm currently unsure how this issue should be addressed. The options as I see them are: a) There is an obvious solution I have missed. b) Check <security-role-ref>'s when processing security constraints. c) Something else. Given the Filter issue, I think c) is the only viable option. Tomcat's current behaviour looks to be specification compliant but there appears to me to be an issue here the the Servlet EG needs to address. Before I move this issue there what do folks think about this? Is there an issue or am I missing the obvious? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
