wood burning stoves 2.0*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes what is realm. ??? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "what is realm. ???" Watch "what is realm. ???" New topic
Author

what is realm. ???

M Sharma
Ranch Hand

Joined: Dec 13, 2001
Posts: 106
Hi Ranchers,
In Hanumant Deshmukh study guide on page no. 137,
Topic : HTTP Basic authentication
In point no. 2 its stated that ...


The server observes that the resource is protected, and so instead of sending the resource, it sends a 401 Unauthorized message back to the client. In the message, it also includes a header that tells the browser that the Basic authentication is needed to access the resource. The header also specifies the context in which the authentication would be valid. This context is called realm. It helps organize the access control lists on the server into different categories and, at the same time, tells users which user ID/password to use if they are allowed access in different realms. The following is a sample response sent by a server:

HTTP/1.0 401 Unauthorized
Server: Tomcat/4.0.1
WWW-Authenticate: Basic realm="sales"
Content-Length=500
Content-Type=text/html

I still can't understand what this realm is and what is its purpose???
Can anybody explain this with an example.
TIA,
[ January 17, 2004: Message edited by: Manish Sachdev ]

Regards, Manish
SCJP 1.4
Sanjay Saxena
Ranch Hand

Joined: Dec 12, 2001
Posts: 81
Here is an answer by Ko Ko Naing I stole from Jdiscuss.com.....
Here I extracted some explanation from the SCWCD Exam Study Kit...
Quoted:
----------------------------------------------------------------------------The header also specifies the context in which the authentication would be valid. This context is called realm. It helps organize the access control lists on the server into different categories and, at the same time, tells users which user ID/password to use if they are allowed access in different realms.
----------------------------------------------------------------------------
It means that if u send the username and password to the server back, u have to set the realm, which is some kinda domain that your username and password will be authenticated... As it says, the server take this advantage to divide the different categories and get you to the specified realm after the authentication... Hope it might help you to understand the meaning...
-----------------------------------------
Mr. Ko Ko Naing
Here is an answer by Ko Ko Naing I stole from Jdiscuss.com.....
M Sharma
Ranch Hand

Joined: Dec 13, 2001
Posts: 106
Thanx Sanjay,
But still not getting what exactly it is and what is its purpose...and how is it useful.
TIA
Vijay S. Rathore
Ranch Hand

Joined: Oct 29, 2001
Posts: 449
As per the definition mentioned in SG246573 (IBM Redbook)
IBM WebSphere V5.0 Security
A realm is a collection of users that are controlled by the same authentication policy.
So, if I say a realm is sales, it means any user defined for roles in tomcat-users.xml.
<tomcat-users>
<user username="vijay" password="yajiv" roles="sales,administrator"/>
<user username="manish" password="manish" roles="sales"/>
<user username="john" password="jjj" roles="sales"/>
</tomcat-users>
Here 'vijay' belongs to realms 'sales and administrator', whereas 'manish' belongs to 'sales' only.


SCJP, SCJD, SCWCD1.4, IBM486, IBM484, IBM 483, IBM 287, IBM141, IBM Certified Enterprise Developer - WebSphere Studio, V5.0
Author of IBM 287 Simulator Exam
hover cheng
Ranch Hand

Joined: Feb 11, 2003
Posts: 66
Vijay,
Originally posted by Vijay S Rathore:
As per the definition mentioned in SG246573 (IBM Redbook)
IBM WebSphere V5.0 Security
A realm is a collection of users that are controlled by the same authentication policy.
So, if I say a realm is sales, it means any user defined for roles in tomcat-users.xml.
<tomcat-users>
<user username="vijay" password="yajiv" roles="sales,administrator"/>
<user username="manish" password="manish" roles="sales"/>
<user username="john" password="jjj" roles="sales"/>
</tomcat-users>
Here 'vijay' belongs to realms 'sales and administrator', whereas 'manish' belongs to 'sales' only.


I can not agree with you on this point. Obviously, the "role" is by far different from "realm". On exmple you given, 'vijay', 'manish' are belong to different roles, but we can not decide whether they are belong to one or multiple realms only based on this.
The "realm-name" in web.xml and the actual authenticate realm are very confusing, as Servlet-2.4-fr_spec says,

SRV.12.5.1 HTTP Basic Authentication
HTTP Basic Authentication, which is ..... As part of the request, the web server passes the realm (a string) in which the user is to be authenticated. The realm string of Basic Authentication does not have to reflect any particular security policy (Authentication domain confusingly also referred to as a realm) ....

So, the "realm-name" in web.xml is only a "string" sent to client's browser and displayed to client as a "tip", while using BASIC auth-method. It is not sent to client using FORM auth-method, and it has no effect on how the web server authenticate users.
To clearify, we have "two realms" here, one is a "string" realm-name as above, the other is the "auth realm", which is used by web server as means to authenticate users.
I think for Tomcat, it defines its auth realm in conf/server.xml rather than conf/tomcat-users.xml. In contrast, all the users and roles defined in tomcat-users.xml belong to one auth realm -- MemoryRealm.
We can find the following elements defined in server.xml regarding other auth realms:

Correct me if I am wrong. I also in the beginning phase getting myself dirty on the security issues


SCJP 91% SCJD 94% SCBCD 98% SCWCD1.4 86%<p>XML141 SCDWJS -- in progress<br />If you don't retreat, you are mostly among those who can surmount it.
Ali Ragi
Ranch Hand

Joined: Dec 10, 2003
Posts: 60
Obviously "realm" is very confusing. It has difference meanings in difference contexts.
One more thing, I guess the conf/server.xml and the conf/tomcat-users.xml are vendor specific implementation for the security model, and the elements in the xml configuration files are also vendor specific, and we can't rely on them. Correct me if I am wrong.
----------------------------------
Ali Ragi - I am just learning, that's why I am here!
[ January 20, 2004: Message edited by: Ali Ragi ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: what is realm. ???
 
Similar Threads
Few questions !!! Help.
How to determine if HTTP authentication is required
HTTP Basic Authentication
j_security_check 'next' page?
How to configure Axis stubs for Integrated Windows Authentication ?