aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Which one is first? Authentication/Authorisation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Which one is first? Authentication/Authorisation" Watch "Which one is first? Authentication/Authorisation" New topic

Which one is first? Authentication/Authorisation

Micheal John
Ranch Hand

Joined: Nov 01, 2006
Posts: 344
Which one will be checked first? Whether Authentication or Authorization?
I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>

If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..

Am I right? Any feedback in it, if I am wrong..

And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint> i right?
[ January 16, 2007: Message edited by: Micheal John ]

Micheal John
SCJP 1.4 (86%), SCWCD 1.4 (86%), SCBCD 1.3 (85%), SCDJWS (Just Started...) - Satisfaction Lies in Our EFFORT, Not in the ATTAINMENT
Niranjan Deshpande
Ranch Hand

Joined: Oct 16, 2005
Posts: 1277
if you have no resources to authorise...why do you want anyone to authenticate him before he enters your website !

SCJP 1.4 - 95% [ My Story ] - SCWCD 1.4 - 91% [ My Story ]
Performance is a compulsion, not a option, if my existence is to be justified.
Sanjiv Kumar

Joined: Jan 16, 2007
Posts: 2
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )

Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM)
�For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file.
�<user username="abc" password="xyz" roles="manager "/>
�<user username="def" password="def" roles="admin,manager "/>

In your web.xml you can define the

<login-config> <auth-method> BASIC</auth-method></<login-config>

This will take care of your Authentication.

1.The first step to do Authorization is define roles. In tomcat you can define roles in \Tomcat 5.0\conf\tomcat-users.xml file

You define these roles in web.xml so that container can map roles to user


2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )

Here I authorize only admin role to view a particular page

<role-name>admin </role-name>

now some with admin role is authorize to view the page. Ex user �abc� may logon but can�t access only user �def� can. I am not listing any methods that means all the methods on this page are constrained

It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)

Hope this helps
Don't get me started about those stupid light bulbs.
subject: Which one is first? Authentication/Authorisation