Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authorization verses Authentication ?

 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Although taking a 101 class in English grammer can help, I am looking for something more J2EE oriented.
Whats the key things that I should know?
Thanks.
- satya
ps:
I haven't done much reading re this topic, just starting...
 
Rohit Poddar
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The analogy would be Passport and Visa. Passport establishes your identity (i.e. you are who you claim to be, Authentic) and Visa for a country is a permission to enter that country (i.e. you are authorized) .
If you are a defined user to the system you are Authenticated and then that user might have permissions or not(authorization) to use certain resources in that system.
-Rohit
 
ersin eser
Ranch Hand
Posts: 1072
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So is it security-role-ref tag vs. auth-constraint tag ?
[ January 10, 2002: Message edited by: ersin eser ]
 
Rohit Poddar
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think security-role-ref and auth-constraint tags are both for authorizing certain roles to access the resources in question.
Secutiry-role-ref
Programmers can control the access to or behavior of the servlet by hard-coding the role names in their code. And secutiry-role-ref helps you link the role name used within the Servlet Code to a role defined in the container, so that the program doesn’t have to be changed and recompiled when the role name changes.
Consider the following example :
<servlet>
<servlet-name>contextServlet</servlet-name>
<servlet-class>com.rohitpoddar.servprac.ContextServlet</servlet-class>
<security-role-ref>
<role-name>role1</role-name>
<role-link>managers</role-link>
</security-role-ref>
</servlet>
<security-role>
<role-name>managers</role-name>
</security-role>
I can in my program use HttpServletRequest.isUserInRole(“role1” ) to see if the user making the request is in the role “managers” (which is a defined role in the container and has certain groups and users associated with it). Now if I want to give access to role "everyone" all I have to do is change the <role-link> tag to
<role-link>everyone</role-link>
auth-constraint
Here the application assembler defines which roles are authorized to access which resources and then the container takes over to administer the rules.

Authentication is the part where container or programmer asks for the user code and password to find out if the user is indeed a valid user in this system.
[ January 11, 2002: Message edited by: Rohit Poddar ]
 
Jim Bertorelli
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
An excellent analogy, Rohit.
<login-config> is used for authentication. and everything else is for authorization.
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
Glad to see the J2EE part and ofcourse the anology was good, but I was waiting for the J2EE spin on it.....
- satya
 
Ashik Uzzaman
Ranch Hand
Posts: 2373
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Authentication is something boolean....you have access or not! Authorization is upto which level u have access. So authorization comes if authentication is successful.
We can use authentication mechanism of our web container or provide one ourselves. What abt the authorization....is it a must for a j2ee compliant web server to provide authorization mechanism also? I think so...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic