users@glassfish.java.net

Re: Principal and Role Handling - Expected behaviour?

From: <glassfish_at_javadesktop.org>
Date: Fri, 27 Nov 2009 02:55:16 PST

Yes, isUserInRole() works for those authenticated users, whose roles have been declared in the <security-role> element:

From the spec :

[i]"The isUserInRole method expects a String user role-name parameter. A security-
role-ref element should be declared in the deployment descriptor with a role-
name sub-element containing the rolename to be passed to the method. A security-
role-ref element should contain a role-link sub-element whose value is the name of
the security role that the user may be mapped into. The container uses the mapping
of security-role-ref to security-role when determining the return value of the
call.
[/i]
[i]If no security-role-ref element matching a security-role element has been
declared, the container must default to checking the role-name element argument
against the list of security-role elements for the web application. The
isUserInRole method references the list to determine whether the caller is mapped
to a security role. The developer must be aware that the use of this default
mechanism may limit the flexibility in changing rolenames in the application
without having to recompile the servlet making the call. "[/i]

To workaround your issue, could you try using the security-role-ref element to your advantage?

Thanks,
Nithya
[Message sent by forum member 'nitkal' ]

http://forums.java.net/jive/thread.jspa?messageID=373595