Which one will be checked first? Whether Authentication or Authorization? I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>
If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..
Am I right? Any feedback in it, if I am wrong..
And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint>..am i right? [ January 16, 2007: Message edited by: Micheal John ]
SCJP 1.4 (86%), SCWCD 1.4 (86%), SCBCD 1.3 (85%), SCDJWS (Just Started...) - Satisfaction Lies in Our EFFORT, Not in the ATTAINMENT
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )
Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM) �For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file. �<user username="abc" password="xyz" roles="manager "/> �<user username="def" password="def" roles="admin,manager "/>
2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )
Here I authorize only admin role to view a particular page <security-constraint> <web-resource-collection> <web-resource-name>xxx</web-resource-name> <url-pattern>/hobby.do</url-pattern> </web-resource-collection>
now some with admin role is authorize to view the hobby.do page. Ex user �abc� may logon but can�t access hobby.do only user �def� can. I am not listing any methods that means all the methods on this page are constrained
Summary It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)