<tomcat-users> <user name="tomcat" password="tomcat" roles="tomcat" /> <user name="role1" password="tomcat" roles="role1" /> <user name="both" password="tomcat" roles="tomcat,role1" /> <user name="john" password="jjj" roles="employee" /> <user name="mary" password="mmm" roles="employee" /> <user name="bob" password="bbb" roles="employee, supervisor" /> </tomcat-users>
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { PrintWriter pw = res.getWriter(); System.out.println("remote user="+req.getRemoteUser()); System.out.println("user principal="+req.getUserPrincipal()); System.out.println("req.isUserInRole(\"manager\") = "+req.isUserInRole("manager")); pw.println("<html><head>"); pw.println("<title>Programatic Security Example</title>"); pw.println("</head>"); pw.println("<body>"); String username = req.getRemoteUser(); if(username != null) pw.println("<h4>Welcome, "+username+"!</h4>"); if(req.isUserInRole("manager")) { pw.println("<b>Manager's Page!</b>"); } else { pw.println("<b>Employee's Page!</b>"); } pw.println("</body></html>"); }
Observe that in the tomcat-users.xml, we've configured the role 'supervisor' but in the servlet code we are using 'manager' as the role name. This mapping is specified in the web.xml using the following code:
<servlet> <servlet-name>ProgramaticSecureServlet</servlet-name> <servlet-class>chapter9.ProgramaticSecureServlet</servlet-class> <security-role-ref> <role-name>manager</role-name> <role-link>supervisor</role-link> </security-role-ref> </servlet>