• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

How authorization constraint effects authentication?

 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
while going through some old postings i saw this posting
http://www.javaranch.com
ultimatebb.cgi?ubb=get_topic&f=18&t=000777
The person was trying to getAuthType() in his code and it was always returning null even after declaring BASIC as auth-method in login-config.
The answer given was
"You did not supply the Authorization Constraint in the Security Constraint" and this suggestion worked for him.
My question is, why should he declare auth-constraint(which is used for authorization and not authentication) in servlet-constraint(and auth-constraint is also optional in the servlet-constraint element) for it to work.Because all he was doing is to get type of authentication method ?
viswam.
 
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you look at the Servlet specs, and the explanation of the dtd for the <auth-constraint>,
it is as follows,
The auth-constraint element indicates the user roles that should
be permitted access to this resource collection. The role-name
used here must either correspond to the role-name of one of the
security-role elements defined for this web application,
If no roles are defined, no user is allowed access to the portion of
the web application described by the containing security-constraint.
The container matches role names case sensitively when determining
access.
So in short there has to be some role defined for a secured web-resource, which is
done through <auth-constraint>
The username - password - role are set up in another xml
which is implementation dependent. For tomcat
(I am not sure, but something like) <tomcat-root>\conf\tomcat-users.xml
Try this simple experiment,
Have the following mapping in web.xml
<servlet-mapping>
<servlet-name>Info Servlet</servlet-name>
<url-pattern>/servlet/Info</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>Basic-Test</web-resource-name>
<url-pattern>/servlet/Info</url-pattern>
<http-method>Get</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>administrators</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>Basic</auth-method>
<realm-name>neon</realm-name>

<form-login-config>
<form-login-page>/html/FormLogin.html</form-login-page>
<form-error-page>/error/ErrorLogin.html</form-error-page>
</form-login-config>

</login-config>

<security-role>
<role-name>administrators</role-name>
</security-role>

Now if you comment out <auth-constraint> then the server gets the message that
all roles are given permission, so this is not a secure resource. So there is no
Authentication required.
 
viswanath sastry
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Quoted by yogen joshi

Now if you comment out <auth-constraint> then the server gets the message that all
roles are given permission, so this is not a secure resource. So there is no Authentication required.


If you want all authenticated users to have access to a resource, we use * as the role-name. Omitting it means that no roles have access.That means it is completely secure and not insecure as you say.
Even if no user can access the page, he should atleast get the Authentication method used in his code. So my question still stays the same

My question is, why should he declare auth-constraint(which is used for authorization and not authentication) in servlet-constraint(and auth-constraint is also optional in the servlet-constraint element) for it to work.Because all he was doing is to get type of authentication method


Thanks in advance.
 
viswanath sastry
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
knock..knock..somebody please answer my quesion.
if the moderators think that this is not the right forum for this question will they atleast move it to servlets forum?
thanks.
 
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
quote:----viswanath sastry

My question is, why should he declare auth-constraint(which is used for authorization and not authentication) in servlet-constraint(and auth-constraint is also optional in the servlet-constraint element) for it to work.Because all he was doing is to get type of authentication method ?


Simply because he did not have access to the designated resource.
The auth-constraint element designates the users that should have access to protected resources.The role name element identifies the class of users that have access.
example
<s-c>
<w-r-c>---</w-r-c>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</s-c>
This states that only users who are designated as managers should have access to the designated resource.(web-resource-collection) (no other role)
Omitting auth-constraint means that no one has access.whereas * means everybody has access.
why this element is optional?
There r times when certain pages r not meant for direct client access.(a jsp snippet that is intended to be inserted into another file with jsp:include)In this case user should be prohibited from directly accessing the jsp page.A security-constraint element with no auth-constraint would enforce this restriction .
Note:These security restrictions apply only to direct client access.(you can use RequestDispatcher etc)
we can implement the above theory on certain jsp pages so that they can't be directly accessed by the clients
[ June 02, 2003: Message edited by: Amer Khan ]
 
Amer Khan
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
quote: visu.

The answer given was
"You did not supply the Authorization Constraint in the Security Constraint" and this suggestion worked for him



Just think about it.
 
viswanath sastry
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks amer,
Your answer was very informative.
 
and POOF! You're gone! But look, this tiny ad is still here:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic