Checking Security Roles Programmatically

Role-based authentication is nice when you can partition pages based on a role, but you can rarely make this kind of authentication seamless. Suppose, you want to set up pages that can only be run by someone in a manager role. Obviously you can group the pages into a separate Web resource collection and specify a role name of manager in the <auth-config> tag for the collection. The problem is determining where to put the links to the manager-only pages.

If you put them on a page that everyone can access, the nonmanager users might click the link and see an error page. Although this mechanism does secure your application, it doesn't make it pretty.


A user should never see an error page as part of the ...

Get Special Edition Using Java™ 2 Enterprise Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.