Hot to define a web.xml role-name in a web project

Question

I'm developing a Web Project with Java EE and I want that some JSP are accessible only by some kind of users. I've read that using the web.xml descriptor I can set the visibility of some resources only to a 'role-name'. But how do I set this role-name in the http session?
For instance, my descriptor has:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Access to Student pages</web-resource-name>
      <url-pattern>/Student/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Student</role-name>
    </auth-constraint>
  </security-constraint>

Where/How do I define the 'Student' role-name?

Answer 1

That is the job of your application server. The server will store the roles in the session after authentication (if authentication is done by the server).

---

web.xml -- in your app

<security-constraint>
    <web-resource-collection>
        <url-pattern>/Student/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Student</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

How to assign users/logins to rolles is Server dependent, here a very basic example for tomcat:

tomcat-users.xml -- This file is in your Server, you have to extend it!

 <?xml version='1.0' encoding='utf-8'?>
 <tomcat-users>
    <role rolename="tomcat"/>

     <role rolename="Student"/>  <!-- you have to define all roles -->

    <user username="tomcat" password="tomcat" roles="tomcat"/>

    <user username="myname" password="mypassword" roles="Student"/> <!-- you have to assign login and roles -->
 </tomcat-users>