Although taking a 101 class in English grammer can help, I am looking for something more J2EE oriented. Whats the key things that I should know? Thanks. - satya ps: I haven't done much reading re this topic, just starting...
The analogy would be Passport and Visa. Passport establishes your identity (i.e. you are who you claim to be, Authentic) and Visa for a country is a permission to enter that country (i.e. you are authorized) . If you are a defined user to the system you are Authenticated and then that user might have permissions or not(authorization) to use certain resources in that system. -Rohit
Joined: Feb 22, 2001
So is it security-role-ref tag vs. auth-constraint tag ? [ January 10, 2002: Message edited by: ersin eser ]
Joined: Aug 18, 2001
I think security-role-ref and auth-constraint tags are both for authorizing certain roles to access the resources in question. Secutiry-role-ref Programmers can control the access to or behavior of the servlet by hard-coding the role names in their code. And secutiry-role-ref helps you link the role name used within the Servlet Code to a role defined in the container, so that the program doesn’t have to be changed and recompiled when the role name changes. Consider the following example : <servlet> <servlet-name>contextServlet</servlet-name> <servlet-class>com.rohitpoddar.servprac.ContextServlet</servlet-class> <security-role-ref> <role-name>role1</role-name> <role-link>managers</role-link> </security-role-ref> </servlet> <security-role> <role-name>managers</role-name> </security-role> I can in my program use HttpServletRequest.isUserInRole(“role1” ) to see if the user making the request is in the role “managers” (which is a defined role in the container and has certain groups and users associated with it). Now if I want to give access to role "everyone" all I have to do is change the <role-link> tag to <role-link>everyone</role-link> auth-constraint Here the application assembler defines which roles are authorized to access which resources and then the container takes over to administer the rules.
Authentication is the part where container or programmer asks for the user code and password to find out if the user is indeed a valid user in this system. [ January 11, 2002: Message edited by: Rohit Poddar ]
Joined: Nov 28, 2001
An excellent analogy, Rohit. <login-config> is used for authentication. and everything else is for authorization.
Joined: Jun 03, 2000
Thanks. Glad to see the J2EE part and ofcourse the anology was good, but I was waiting for the J2EE spin on it..... - satya
Authentication is something boolean....you have access or not! Authorization is upto which level u have access. So authorization comes if authentication is successful. We can use authentication mechanism of our web container or provide one ourselves. What abt the authorization....is it a must for a j2ee compliant web server to provide authorization mechanism also? I think so...
Ashik Uzzaman Senior Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.