On 19/04/2013 21:47, Mark Thomas wrote: > On 19/04/2013 21:37, Propes, Barry L wrote: >> What version are you using? >> >> Mine doesn't contain this attribute pair at all... >> >> <security-role-ref> >> </security-role-ref> > > The version being used is irrelevant. <security-role-ref> is only valid > inside a <servlet> element. > > There might still be a bug here - I'm currently looking at the source to > check - but it isn't the bug the OP thinks they have found.
Digging in to this Tomcat's behaviour is specification compliant. <security-role-ref> are only intended to work with a specific Servlet and only with calls to isUserInRole(). However, that means there are various places where it would be helpful to do a role mapping where it is not currently possible. I have started a discussion on the dev list about how to handle this. It will probably move to the Servlet EG unless I have missed something obvious. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
