Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

auth-constraint vs security-role

 
Satyajeet Kadam
Ranch Hand
Posts: 224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Q1)I want to know the difference between auth-constraint vs security-role?
As fas i think that
<auth-constaint> is one who can make constraint request to resource.
<security-role> is one who can make access the application.
Please correct if i am wrong?
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

<security-role> define the entries for the roles available to the application. The roles are provided by container, through its authentication mechanism. Tomcat, by default, uses tomcat-users.xml to define the users and roles.

Thanks
 
kajal mukergi
Ranch Hand
Posts: 102
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<auth...> is only when we want to...tell which resources are to be constrained

so at that time we use it depending upon the roles what we have mentioned
in the

<securtiy-role>

and also.. casing is very important when we mention in <auth
 
Padma priya Gururajan
Ranch Hand
Posts: 437
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Kajal,
What do you mean by constrained?
With regards,
Padma priya N.G.
 
kajal mukergi
Ranch Hand
Posts: 102
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
constrained means "conditions" that is when we what to access a particular....
source.. then.. we need to get permission so..

we will keep some condition which the user must satisfy.. to..get the.. particular source
 
James Mark
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using the BASIC authentication the user is been prompted by the browser
to enter the name and password.
Based on that the role of the user can be found out using tomcat-users.xml.

From that point onwards the Container knows the role of the user accessing the application.

<security-role> defines the possible user roles in the Application using the <role-name> tag nested in that.

<auth-constraint> is constrainting a particular resource to a particular role using the <role-name> tag.

Take care constraining is not at the role level.It is role+httpmethod
 
Padma priya Gururajan
Ranch Hand
Posts: 437
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi James,
From where do we find the role of the user in tomcat-users.xml?
Can you please help me?
Thanks.
 
James Mark
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<tomcat-users> tag in tomcat-users.xml contains a nested <user> tag...
As an example.
<user name="JamesMark" password="007Gun$" roles="Admin,Guest">

Upon login we give username and password it is being mapped into the above
one and Container get the information that JamesMark has two roles ie Admin and Guest.

Now
<auth-constraint>Admin</auth-constraint>

allows JamesMark to access the urlpattern say
<url-pattern>/Bank/AddUser/*</url-pattern> defined in the one or many
<web-resource-collection> elements in the <security-constraint>.
 
Padma priya Gururajan
Ranch Hand
Posts: 437
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mark,
<auth-constraint>Admin</auth-constraint>



You had mentioned Admin within auth-constraint which is an error. It should have been

<auth-constraint>
<role-name>Admin<role-name>
</auth-constraint>

Thanks.
 
Padma priya Gururajan
Ranch Hand
Posts: 437
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
Am I right?
Thanks.
 
khushhal yadav
Ranch Hand
Posts: 242
Java Mac Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes Priya

You are right.

And kajal

<auth-constaint> is concernd about constrianing the request on the resource not the resource. Please ammend it.
while <security-role> is defining the various roles defined for the application.

Regards,
Khushhal
 
Padma priya Gururajan
Ranch Hand
Posts: 437
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Khushal,
Thanks.
 
James Mark
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sorry it was a Friday and was planning to reach home fastly at that point in time....
sorry for the mistake.....
 
Ken Truitt
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just working from my notes, I think it might be the case that
the relevant tag in tomcat-users.xml is

<role rolename="guest"/>

which is slightly different than the element in the auth-constraint
tagset:

<role-name>"guest"</role-name>

It helps to take note of this to avoid confusion.

Ken
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic