• Post Reply Bookmark Topic Watch Topic
  • New Topic

Which one is first? Authentication/Authorisation  RSS feed

Ranch Hand
Posts: 344
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which one will be checked first? Whether Authentication or Authorization?
I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>

If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..

Am I right? Any feedback in it, if I am wrong..

And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint>..am i right?
[ January 16, 2007: Message edited by: Micheal John ]
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if you have no resources to authorise...why do you want anyone to authenticate him before he enters your website !
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )

Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM)
�For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file.
�<user username="abc" password="xyz" roles="manager "/>
�<user username="def" password="def" roles="admin,manager "/>

In your web.xml you can define the

<login-config> <auth-method> BASIC</auth-method></<login-config>

This will take care of your Authentication.

1.The first step to do Authorization is define roles. In tomcat you can define roles in \Tomcat 5.0\conf\tomcat-users.xml file

You define these roles in web.xml so that container can map roles to user


2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )

Here I authorize only admin role to view a particular page

<role-name>admin </role-name>

now some with admin role is authorize to view the hobby.do page. Ex user �abc� may logon but can�t access hobby.do only user �def� can. I am not listing any methods that means all the methods on this page are constrained

It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)

Hope this helps
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!