>> There is no such facility in the servlet api. Given a user, there is no >way >> to get a list of roles to which the user belongs. I too find this a >> distressing limitation in using container managed security. > >In some complex security scenarios, it is not always possible for a >container to articulate all possible roles that a user can be a member of.
I guess, but I don't really actually care about that functionality. I can't see why it's not desirable to be able to get a list of roles that a user _does_ belong to. >Tomcat doesn't enforce this restriction, but the J2EE specs say that an >app must list all the roles it uses (either in security constraints or >via programmatic lookups) in <security-role> elements in the web.xml file. >If you did this, you could parse "/WEB-INF/web.xml" and identify the list. That's an interesting feature/restriction. I guess while I have your attention :) I'd ask how/if you'd solve this problem using container-managed security? You've got a webapp which, I dunno, implements a document management system. The DMS puts documents into several categories, and various users can add, edit, or remove documents in those categories, depending on their roles in those categories. Assuming the categories are dynamic, there's no way to implement this using container-managed security, is there? - donald --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]