Meaningless Drivel is fun!
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Which one is first? Authentication/Authorisation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Which one is first? Authentication/Authorisation" Watch "Which one is first? Authentication/Authorisation" New topic

Which one is first? Authentication/Authorisation

Micheal John
Ranch Hand

Joined: Nov 01, 2006
Posts: 344
Which one will be checked first? Whether Authentication or Authorization?
I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>

If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..

Am I right? Any feedback in it, if I am wrong..

And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint> i right?
[ January 16, 2007: Message edited by: Micheal John ]

Micheal John
SCJP 1.4 (86%), SCWCD 1.4 (86%), SCBCD 1.3 (85%), SCDJWS (Just Started...) - Satisfaction Lies in Our EFFORT, Not in the ATTAINMENT
Niranjan Deshpande
Ranch Hand

Joined: Oct 16, 2005
Posts: 1277
if you have no resources to authorise...why do you want anyone to authenticate him before he enters your website !

SCJP 1.4 - 95% [ My Story ] - SCWCD 1.4 - 91% [ My Story ]
Performance is a compulsion, not a option, if my existence is to be justified.
Sanjiv Kumar

Joined: Jan 16, 2007
Posts: 2
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )

Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM)
�For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file.
�<user username="abc" password="xyz" roles="manager "/>
�<user username="def" password="def" roles="admin,manager "/>

In your web.xml you can define the

<login-config> <auth-method> BASIC</auth-method></<login-config>

This will take care of your Authentication.

1.The first step to do Authorization is define roles. In tomcat you can define roles in \Tomcat 5.0\conf\tomcat-users.xml file

You define these roles in web.xml so that container can map roles to user


2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )

Here I authorize only admin role to view a particular page

<role-name>admin </role-name>

now some with admin role is authorize to view the page. Ex user �abc� may logon but can�t access only user �def� can. I am not listing any methods that means all the methods on this page are constrained

It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)

Hope this helps
I agree. Here's the link:
subject: Which one is first? Authentication/Authorisation
It's not a secret anymore!