*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Authorization verses Authentication ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Authorization verses Authentication ?" Watch "Authorization verses Authentication ?" New topic
Author

Authorization verses Authentication ?

Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040
Although taking a 101 class in English grammer can help, I am looking for something more J2EE oriented.
Whats the key things that I should know?
Thanks.
- satya
ps:
I haven't done much reading re this topic, just starting...


Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81
Rohit Poddar
Ranch Hand

Joined: Aug 18, 2001
Posts: 36
The analogy would be Passport and Visa. Passport establishes your identity (i.e. you are who you claim to be, Authentic) and Visa for a country is a permission to enter that country (i.e. you are authorized) .
If you are a defined user to the system you are Authenticated and then that user might have permissions or not(authorization) to use certain resources in that system.
-Rohit


SCJP, SCWCD
ersin eser
Ranch Hand

Joined: Feb 22, 2001
Posts: 1072
So is it security-role-ref tag vs. auth-constraint tag ?
[ January 10, 2002: Message edited by: ersin eser ]
Rohit Poddar
Ranch Hand

Joined: Aug 18, 2001
Posts: 36
I think security-role-ref and auth-constraint tags are both for authorizing certain roles to access the resources in question.
Secutiry-role-ref
Programmers can control the access to or behavior of the servlet by hard-coding the role names in their code. And secutiry-role-ref helps you link the role name used within the Servlet Code to a role defined in the container, so that the program doesn’t have to be changed and recompiled when the role name changes.
Consider the following example :
<servlet>
<servlet-name>contextServlet</servlet-name>
<servlet-class>com.rohitpoddar.servprac.ContextServlet</servlet-class>
<security-role-ref>
<role-name>role1</role-name>
<role-link>managers</role-link>
</security-role-ref>
</servlet>
<security-role>
<role-name>managers</role-name>
</security-role>
I can in my program use HttpServletRequest.isUserInRole(“role1” ) to see if the user making the request is in the role “managers” (which is a defined role in the container and has certain groups and users associated with it). Now if I want to give access to role "everyone" all I have to do is change the <role-link> tag to
<role-link>everyone</role-link>
auth-constraint
Here the application assembler defines which roles are authorized to access which resources and then the container takes over to administer the rules.

Authentication is the part where container or programmer asks for the user code and password to find out if the user is indeed a valid user in this system.
[ January 11, 2002: Message edited by: Rohit Poddar ]
Jim Bertorelli
Ranch Hand

Joined: Nov 28, 2001
Posts: 136
An excellent analogy, Rohit.
<login-config> is used for authentication. and everything else is for authorization.
Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040
Thanks.
Glad to see the J2EE part and ofcourse the anology was good, but I was waiting for the J2EE spin on it.....
- satya
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2370

Authentication is something boolean....you have access or not! Authorization is upto which level u have access. So authorization comes if authentication is successful.
We can use authentication mechanism of our web container or provide one ourselves. What abt the authorization....is it a must for a j2ee compliant web server to provide authorization mechanism also? I think so...


Ashik Uzzaman
Senior Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authorization verses Authentication ?
 
Similar Threads
Cant use object from another class
WA #1.....word association
Posting to bump up my count...
Text box value is not being completely filled with request attribute
The x900 effect ?