This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
1. What is the exact use of Realm in Basic authentication? 2. What is the exact use of <role-name> to <role-link> maping in programatic security handling (assuming declarative sec should not be involved once I use prog security). 3. In case of Includes and forwards, is the request, response copy passed or are the passed with reference?? Thanks in advance. Sorry if the questions sound confusing or foolish
1. What is the exact use of Realm in Basic authentication? Realm is like context. We can have only one <login-config> per web application. Assume there is a web application with context name "webApp1" and you define all the needed elements for security (<servlet> , <security-constraint> , <login-config> ) correctly in web.xml. You also have made "/webApp1/servlet1" as a protected resource with BASIC auth , and you also have correctly defined the (username/password/roles) in the server specific way and have them all ready.Also assume you have made both GET and POST as protected methods. When you try to invoke http://localhost:8080/webApp1/servlet1 , the server realizes that it is a protected resource and you have not yet been authendicated yet, and sends 401-unAuthorized response header and requests the browser client to ask for user-name and password. So we get a dialog box with a 'realm-name' value, and we enter the right values, servlet checks those values aganist its ACL (Access Control List) and lets us access the resource. If you try to access the same resource with http://localhost:8080/webApp1/servlet1 again, you will not be asked for user-name and password since you are already authendicated for that context (realm). But, If you try to access another protected resource in yet another webapp which has DIFFERENT realm-name defined in its web.xml ,you will be asked for user-name/password again. Because the server first checks if you are authendicated for THAT REALM. This is how the server keeps its internal per-realm authendicated users list organaized. Also note that, if you close the client browser window (which you just used and correctly authendicated ) and open up a brand new browser window, you will be prompted for user-name/password. This realm-level fine grained check can be done with BASIC auth-type only. If you user FORM auth-type, once you are authendicated on a browser window , you will not be asked for user-name/password again even if you request a protected resource of yet another web app. 2. What is the exact use of <role-name> to <role-link> maping in programatic security handling (assuming declarative sec should not be involved once I use prog security). This is to have an abstract way of defining user roles. Inside your servlet you can have a code like request.isUserInRole("VP"); But the deployer may like to define VP as "Vice Precident". The <security-role-ref> <role-name> VP </role-name> //servlet way <role-link> Vice Precident </role-link> //ACL way </security-role-ref> element helps to have that flexiblity. 3. In case of Includes and forwards, is the request, response copy passed or are the passed with reference? The copy of the request /response object's ref is passed. But note that it's just the copy of the reference. If you pass these references to 2 different user defined methods, and try to call a method() on that request / response reference, you will essentially execute the same method on that request object. Regards, Maha Anna [ November 28, 2002: Message edited by: Maha Annadurai ]