| Author |
Which one is first? Authentication/Authorisation
|
Micheal John
Ranch Hand
Joined: Nov 01, 2006
Posts: 344
|
|
Which one will be checked first? Whether Authentication or Authorization?
I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>
If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..
Am I right? Any feedback in it, if I am wrong..
And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint>..am i right?
[ January 16, 2007: Message edited by: Micheal John ]
|
Micheal John
SCJP 1.4 (86%), SCWCD 1.4 (86%), SCBCD 1.3 (85%), SCDJWS (Just Started...) - Satisfaction Lies in Our EFFORT, Not in the ATTAINMENT
|
 |
Niranjan Deshpande
Ranch Hand
Joined: Oct 16, 2005
Posts: 1277
|
|
yes...
if you have no resources to authorise...why do you want anyone to authenticate him before he enters your website ! 
|
SCJP 1.4 - 95% [ My Story ] - SCWCD 1.4 - 91% [ My Story ]
Performance is a compulsion, not a option, if my existence is to be justified.
|
|
Sanjiv Kumar
Greenhorn
Joined: Jan 16, 2007
Posts: 2
|
|
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )
Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM)
�For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file.
�<user username="abc" password="xyz" roles="manager "/>
�<user username="def" password="def" roles="admin,manager "/>
In your web.xml you can define the
<login-config> <auth-method> BASIC</auth-method></<login-config>
This will take care of your Authentication.
1.The first step to do Authorization is define roles. In tomcat you can define roles in \Tomcat 5.0\conf\tomcat-users.xml file
You define these roles in web.xml so that container can map roles to user
<security-role>
<role-name>manager</role-name>
<role-name>admin</role-name>
</security-role>
2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )
Here I authorize only admin role to view a particular page
<security-constraint>
<web-resource-collection>
<web-resource-name>xxx</web-resource-name>
<url-pattern>/hobby.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin </role-name>
</auth-constraint>
<user-data-constraint>
<transport-gurantee>CONFIDENTIAL</transport-gurantee>
</user-data-constraint>
</security-constraint>
now some with admin role is authorize to view the hobby.do page. Ex user �abc� may logon but can�t access hobby.do only user �def� can. I am not listing any methods that means all the methods on this page are constrained
Summary
It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)
Hope this helps
|
|
 |
|
|
subject: Which one is first? Authentication/Authorisation
|
|
|
0
