Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Rob Spoor
  • Devaka Cooray
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Jj Roberts
  • Al Hobbs
  • Piet Souris

Which one is first? Authentication/Authorisation

 
Ranch Hand
Posts: 344
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Which one will be checked first? Whether Authentication or Authorization?
I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>

If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..

Am I right? Any feedback in it, if I am wrong..

And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint>..am i right?
[ January 16, 2007: Message edited by: Micheal John ]
 
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes...
if you have no resources to authorise...why do you want anyone to authenticate him before he enters your website !
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )

Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM)
�For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file.
�<user username="abc" password="xyz" roles="manager "/>
�<user username="def" password="def" roles="admin,manager "/>

In your web.xml you can define the

<login-config> <auth-method> BASIC</auth-method></<login-config>

This will take care of your Authentication.


1.The first step to do Authorization is define roles. In tomcat you can define roles in \Tomcat 5.0\conf\tomcat-users.xml file

You define these roles in web.xml so that container can map roles to user

<security-role>
<role-name>manager</role-name>
<role-name>admin</role-name>
</security-role>

2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )

Here I authorize only admin role to view a particular page
<security-constraint>
<web-resource-collection>
<web-resource-name>xxx</web-resource-name>
<url-pattern>/hobby.do</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>admin </role-name>
</auth-constraint>
<user-data-constraint>
<transport-gurantee>CONFIDENTIAL</transport-gurantee>
</user-data-constraint>
</security-constraint>

now some with admin role is authorize to view the hobby.do page. Ex user �abc� may logon but can�t access hobby.do only user �def� can. I am not listing any methods that means all the methods on this page are constrained

Summary
It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)

Hope this helps
 
reply
    Bookmark Topic Watch Topic
  • New Topic