File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes How authorization constraint effects authentication? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "How authorization constraint effects authentication?" Watch "How authorization constraint effects authentication?" New topic
Author

How authorization constraint effects authentication?

viswanath sastry
Greenhorn

Joined: May 04, 2003
Posts: 24
while going through some old postings i saw this posting
http://www.javaranch.com
ultimatebb.cgi?ubb=get_topic&f=18&t=000777
The person was trying to getAuthType() in his code and it was always returning null even after declaring BASIC as auth-method in login-config.
The answer given was
"You did not supply the Authorization Constraint in the Security Constraint" and this suggestion worked for him.
My question is, why should he declare auth-constraint(which is used for authorization and not authentication) in servlet-constraint(and auth-constraint is also optional in the servlet-constraint element) for it to work.Because all he was doing is to get type of authentication method ?
viswam.


visu
yogen joshi
Greenhorn

Joined: May 02, 2003
Posts: 21
If you look at the Servlet specs, and the explanation of the dtd for the <auth-constraint>,
it is as follows,
The auth-constraint element indicates the user roles that should
be permitted access to this resource collection. The role-name
used here must either correspond to the role-name of one of the
security-role elements defined for this web application,
If no roles are defined, no user is allowed access to the portion of
the web application described by the containing security-constraint.
The container matches role names case sensitively when determining
access.
So in short there has to be some role defined for a secured web-resource, which is
done through <auth-constraint>
The username - password - role are set up in another xml
which is implementation dependent. For tomcat
(I am not sure, but something like) <tomcat-root>\conf\tomcat-users.xml
Try this simple experiment,
Have the following mapping in web.xml
<servlet-mapping>
<servlet-name>Info Servlet</servlet-name>
<url-pattern>/servlet/Info</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>Basic-Test</web-resource-name>
<url-pattern>/servlet/Info</url-pattern>
<http-method>Get</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>administrators</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>Basic</auth-method>
<realm-name>neon</realm-name>

<form-login-config>
<form-login-page>/html/FormLogin.html</form-login-page>
<form-error-page>/error/ErrorLogin.html</form-error-page>
</form-login-config>

</login-config>

<security-role>
<role-name>administrators</role-name>
</security-role>

Now if you comment out <auth-constraint> then the server gets the message that
all roles are given permission, so this is not a secure resource. So there is no
Authentication required.
viswanath sastry
Greenhorn

Joined: May 04, 2003
Posts: 24
Quoted by yogen joshi
Now if you comment out <auth-constraint> then the server gets the message that all
roles are given permission, so this is not a secure resource. So there is no Authentication required.

If you want all authenticated users to have access to a resource, we use * as the role-name. Omitting it means that no roles have access.That means it is completely secure and not insecure as you say.
Even if no user can access the page, he should atleast get the Authentication method used in his code. So my question still stays the same
My question is, why should he declare auth-constraint(which is used for authorization and not authentication) in servlet-constraint(and auth-constraint is also optional in the servlet-constraint element) for it to work.Because all he was doing is to get type of authentication method

Thanks in advance.
viswanath sastry
Greenhorn

Joined: May 04, 2003
Posts: 24
knock..knock..somebody please answer my quesion.
if the moderators think that this is not the right forum for this question will they atleast move it to servlets forum?
thanks.
Amer Khan
Ranch Hand

Joined: Apr 05, 2003
Posts: 163
quote:----viswanath sastry
My question is, why should he declare auth-constraint(which is used for authorization and not authentication) in servlet-constraint(and auth-constraint is also optional in the servlet-constraint element) for it to work.Because all he was doing is to get type of authentication method ?

Simply because he did not have access to the designated resource.
The auth-constraint element designates the users that should have access to protected resources.The role name element identifies the class of users that have access.
example
<s-c>
<w-r-c>---</w-r-c>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</s-c>
This states that only users who are designated as managers should have access to the designated resource.(web-resource-collection) (no other role)
Omitting auth-constraint means that no one has access.whereas * means everybody has access.
why this element is optional?
There r times when certain pages r not meant for direct client access.(a jsp snippet that is intended to be inserted into another file with jsp:include)In this case user should be prohibited from directly accessing the jsp page.A security-constraint element with no auth-constraint would enforce this restriction .
Note:These security restrictions apply only to direct client access.(you can use RequestDispatcher etc)
we can implement the above theory on certain jsp pages so that they can't be directly accessed by the clients
[ June 02, 2003: Message edited by: Amer Khan ]

<i>Dare to dream - everything that exists today,was once a figment of someone's imagination, nobody says tomorrow can't be a figment of your today.</i>
Amer Khan
Ranch Hand

Joined: Apr 05, 2003
Posts: 163
quote: visu.
The answer given was
"You did not supply the Authorization Constraint in the Security Constraint" and this suggestion worked for him


Just think about it.
viswanath sastry
Greenhorn

Joined: May 04, 2003
Posts: 24
Thanks amer,
Your answer was very informative.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How authorization constraint effects authentication?
 
Similar Threads
Webapp Security
how many auth-constraint's per security-constraint
Authorisation related
Frederic Esnaul Revision notes
security constraint : http-method