Q1)I want to know the difference between auth-constraint vs security-role?
As fas i think that
<auth-constaint> is one who can make constraint request to resource.
<security-role> is one who can make access the application.
Please correct if i am wrong?

Hi,

<security-role> define the entries for the roles available to the application. The roles are provided by container, through its authentication mechanism. Tomcat, by default, uses tomcat-users.xml to define the users and roles.

Thanks

<auth...> is only when we want to...tell which resources are to be constrained

so at that time we use it depending upon the roles what we have mentioned
in the

<securtiy-role>

and also.. casing is very important when we mention in <auth

Hi Kajal,
What do you mean by constrained?
With regards,
Padma priya N.G.

constrained means "conditions" that is when we what to access a particular....
source.. then.. we need to get permission so..

we will keep some condition which the user must satisfy.. to..get the.. particular source

Using the BASIC authentication the user is been prompted by the browser
to enter the name and password.
Based on that the role of the user can be found out using tomcat-users.xml.

From that point onwards the Container knows the role of the user accessing the application.

<security-role> defines the possible user roles in the Application using the <role-name> tag nested in that.

<auth-constraint> is constrainting a particular resource to a particular role using the <role-name> tag.

Take care constraining is not at the role level.It is role+httpmethod

Hi James,
From where do we find the role of the user in tomcat-users.xml?
Can you please help me?
Thanks.

<tomcat-users> tag in tomcat-users.xml contains a nested <user> tag...
As an example.
<user name="JamesMark" password="007Gun$" roles="Admin,Guest">

Upon login we give username and password it is being mapped into the above
one and Container get the information that JamesMark has two roles ie Admin and Guest.

Now
<auth-constraint>Admin</auth-constraint>

allows JamesMark to access the urlpattern say
<url-pattern>/Bank/AddUser/*</url-pattern> defined in the one or many
<web-resource-collection> elements in the <security-constraint>.

Hi Mark,

<auth-constraint>Admin</auth-constraint>

You had mentioned Admin within auth-constraint which is an error. It should have been

<auth-constraint>
<role-name>Admin<role-name>
</auth-constraint>

Thanks.

Hi,
Am I right?
Thanks.

Yes Priya

You are right.

And kajal

<auth-constaint> is concernd about constrianing the request on the resource not the resource. Please ammend it.
while <security-role> is defining the various roles defined for the application.

Regards,
Khushhal

Hi Khushal,
Thanks.

sorry it was a Friday and was planning to reach home fastly at that point in time....
sorry for the mistake.....

Just working from my notes, I think it might be the case that
the relevant tag in tomcat-users.xml is

<role rolename="guest"/>

which is slightly different than the element in the auth-constraint
tagset:

<role-name>"guest"</role-name>

It helps to take note of this to avoid confusion.

Ken