File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Authorization verses Authentication ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Authorization verses Authentication ?" Watch "Authorization verses Authentication ?" New topic

Authorization verses Authentication ?

Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040
Although taking a 101 class in English grammer can help, I am looking for something more J2EE oriented.
Whats the key things that I should know?
- satya
I haven't done much reading re this topic, just starting...

Take a Minute, Donate an Hour, Change a Life
Rohit Poddar
Ranch Hand

Joined: Aug 18, 2001
Posts: 36
The analogy would be Passport and Visa. Passport establishes your identity (i.e. you are who you claim to be, Authentic) and Visa for a country is a permission to enter that country (i.e. you are authorized) .
If you are a defined user to the system you are Authenticated and then that user might have permissions or not(authorization) to use certain resources in that system.

ersin eser
Ranch Hand

Joined: Feb 22, 2001
Posts: 1072
So is it security-role-ref tag vs. auth-constraint tag ?
[ January 10, 2002: Message edited by: ersin eser ]
Rohit Poddar
Ranch Hand

Joined: Aug 18, 2001
Posts: 36
I think security-role-ref and auth-constraint tags are both for authorizing certain roles to access the resources in question.
Programmers can control the access to or behavior of the servlet by hard-coding the role names in their code. And secutiry-role-ref helps you link the role name used within the Servlet Code to a role defined in the container, so that the program doesn’t have to be changed and recompiled when the role name changes.
Consider the following example :
I can in my program use HttpServletRequest.isUserInRole(“role1” ) to see if the user making the request is in the role “managers” (which is a defined role in the container and has certain groups and users associated with it). Now if I want to give access to role "everyone" all I have to do is change the <role-link> tag to
Here the application assembler defines which roles are authorized to access which resources and then the container takes over to administer the rules.

Authentication is the part where container or programmer asks for the user code and password to find out if the user is indeed a valid user in this system.
[ January 11, 2002: Message edited by: Rohit Poddar ]
Jim Bertorelli
Ranch Hand

Joined: Nov 28, 2001
Posts: 136
An excellent analogy, Rohit.
<login-config> is used for authentication. and everything else is for authorization.
Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040
Glad to see the J2EE part and ofcourse the anology was good, but I was waiting for the J2EE spin on it.....
- satya
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2373

Authentication is something have access or not! Authorization is upto which level u have access. So authorization comes if authentication is successful.
We can use authentication mechanism of our web container or provide one ourselves. What abt the it a must for a j2ee compliant web server to provide authorization mechanism also? I think so...

Ashik Uzzaman
Senior Software Engineer, TubeMogul, Emeryville, CA, USA.
jQuery in Action, 3rd edition
subject: Authorization verses Authentication ?
It's not a secret anymore!