• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Few questions !!! Help.

 
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. What is the exact use of Realm in Basic authentication?
2. What is the exact use of <role-name> to <role-link> maping in programatic security handling (assuming declarative sec should not be involved once I use prog security).
3. In case of Includes and forwards, is the request, response copy passed or are the passed with reference??
Thanks in advance. Sorry if the questions sound confusing or foolish
 
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. What is the exact use of Realm in Basic authentication?
Realm is like context.
We can have only one <login-config> per web application. Assume there is a web application with context name "webApp1" and you define all the needed elements for security (<servlet> , <security-constraint> , <login-config> ) correctly in web.xml. You also have made "/webApp1/servlet1" as a protected resource with BASIC auth , and you also have correctly defined the (username/password/roles) in the server specific way and have them all ready.Also assume you have made both GET and POST as protected methods.
When you try to invoke http://localhost:8080/webApp1/servlet1 , the server realizes that it is a protected resource and you have not yet been authendicated yet, and sends 401-unAuthorized response header and requests the browser client to ask for user-name and password. So we get a dialog box with a 'realm-name' value, and we enter the right values, servlet checks those values aganist its ACL (Access Control List) and lets us access the resource.
If you try to access the same resource with http://localhost:8080/webApp1/servlet1 again, you will not be asked for user-name and password since you are already authendicated for that context (realm).
But,
If you try to access another protected resource in yet another webapp which has DIFFERENT realm-name defined in its web.xml ,you will be asked for user-name/password again. Because the server first checks if you are authendicated for THAT REALM. This is how the server keeps its internal per-realm authendicated users list organaized.
Also note that, if you close the client browser window (which you just used and correctly authendicated ) and open up a brand new browser window, you will be prompted for user-name/password.
This realm-level fine grained check can be done with BASIC auth-type only. If you user FORM auth-type, once you are authendicated on a browser window , you will not be asked for user-name/password again even if you request a protected resource of yet another web app.
2. What is the exact use of <role-name> to <role-link> maping in programatic security handling (assuming declarative sec should not be involved once I use prog security).
This is to have an abstract way of defining user roles. Inside your servlet you can have a code like request.isUserInRole("VP"); But the deployer may like to define VP as "Vice Precident". The
<security-role-ref>
<role-name> VP </role-name> //servlet way
<role-link> Vice Precident </role-link> //ACL way
</security-role-ref>
element helps to have that flexiblity.
3. In case of Includes and forwards, is the request, response copy passed or are the passed with reference?
The copy of the request /response object's ref is passed. But note that it's just the copy of the reference. If you pass these references to 2 different user defined methods, and try to call a method() on that request / response reference, you will essentially execute the same method on that request object.
Regards,
Maha Anna
[ November 28, 2002: Message edited by: Maha Annadurai ]
reply
    Bookmark Topic Watch Topic
  • New Topic