This week's book giveaways are in the Scala and Android forums.
We're giving away four copies each of Machine Learning Systems: Designs that scale and Xamarin in Action: Creating native cross-platform mobile apps and have the authors on-line!
See this thread and this one for details.
Win a copy of Machine Learning Systems: Designs that scale this week in the Scala forum
or Xamarin in Action: Creating native cross-platform mobile apps in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Authorization verses Authentication ?  RSS feed

 
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Although taking a 101 class in English grammer can help, I am looking for something more J2EE oriented.
Whats the key things that I should know?
Thanks.
- satya
ps:
I haven't done much reading re this topic, just starting...
 
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The analogy would be Passport and Visa. Passport establishes your identity (i.e. you are who you claim to be, Authentic) and Visa for a country is a permission to enter that country (i.e. you are authorized) .
If you are a defined user to the system you are Authenticated and then that user might have permissions or not(authorization) to use certain resources in that system.
-Rohit
 
Ranch Hand
Posts: 1072
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So is it security-role-ref tag vs. auth-constraint tag ?
[ January 10, 2002: Message edited by: ersin eser ]
 
Rohit Poddar
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think security-role-ref and auth-constraint tags are both for authorizing certain roles to access the resources in question.
Secutiry-role-ref
Programmers can control the access to or behavior of the servlet by hard-coding the role names in their code. And secutiry-role-ref helps you link the role name used within the Servlet Code to a role defined in the container, so that the program doesn’t have to be changed and recompiled when the role name changes.
Consider the following example :
<servlet>
<servlet-name>contextServlet</servlet-name>
<servlet-class>com.rohitpoddar.servprac.ContextServlet</servlet-class>
<security-role-ref>
<role-name>role1</role-name>
<role-link>managers</role-link>
</security-role-ref>
</servlet>
<security-role>
<role-name>managers</role-name>
</security-role>
I can in my program use HttpServletRequest.isUserInRole(“role1” ) to see if the user making the request is in the role “managers” (which is a defined role in the container and has certain groups and users associated with it). Now if I want to give access to role "everyone" all I have to do is change the <role-link> tag to
<role-link>everyone</role-link>
auth-constraint
Here the application assembler defines which roles are authorized to access which resources and then the container takes over to administer the rules.

Authentication is the part where container or programmer asks for the user code and password to find out if the user is indeed a valid user in this system.
[ January 11, 2002: Message edited by: Rohit Poddar ]
 
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
An excellent analogy, Rohit.
<login-config> is used for authentication. and everything else is for authorization.
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
Glad to see the J2EE part and ofcourse the anology was good, but I was waiting for the J2EE spin on it.....
- satya
 
Ranch Hand
Posts: 2373
Java MySQL Database Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Authentication is something boolean....you have access or not! Authorization is upto which level u have access. So authorization comes if authentication is successful.
We can use authentication mechanism of our web container or provide one ourselves. What abt the authorization....is it a must for a j2ee compliant web server to provide authorization mechanism also? I think so...
 
And tomorrow is the circus! We can go to the circus! I love the circus! We can take this tiny ad:
Rocket Oven Kickstarter - from the trailboss
https://coderanch.com/t/695773/Rocket-Oven-Kickstarter-trailboss
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!