Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes auth-constraint vs security-role Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "auth-constraint vs security-role" Watch "auth-constraint vs security-role" New topic
Author

auth-constraint vs security-role

Satyajeet Kadam
Ranch Hand

Joined: Oct 19, 2006
Posts: 215
Q1)I want to know the difference between auth-constraint vs security-role?
As fas i think that
<auth-constaint> is one who can make constraint request to resource.
<security-role> is one who can make access the application.
Please correct if i am wrong?
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

<security-role> define the entries for the roles available to the application. The roles are provided by container, through its authentication mechanism. Tomcat, by default, uses tomcat-users.xml to define the users and roles.

Thanks


Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0
kajal mukergi
Ranch Hand

Joined: Mar 22, 2007
Posts: 102
<auth...> is only when we want to...tell which resources are to be constrained

so at that time we use it depending upon the roles what we have mentioned
in the

<securtiy-role>

and also.. casing is very important when we mention in <auth
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi Kajal,
What do you mean by constrained?
With regards,
Padma priya N.G.


Padma priya N.G.
Be the change you want to be - Mahatma Gandhi
kajal mukergi
Ranch Hand

Joined: Mar 22, 2007
Posts: 102
constrained means "conditions" that is when we what to access a particular....
source.. then.. we need to get permission so..

we will keep some condition which the user must satisfy.. to..get the.. particular source
James Mark
Ranch Hand

Joined: Jul 05, 2007
Posts: 115
Using the BASIC authentication the user is been prompted by the browser
to enter the name and password.
Based on that the role of the user can be found out using tomcat-users.xml.

From that point onwards the Container knows the role of the user accessing the application.

<security-role> defines the possible user roles in the Application using the <role-name> tag nested in that.

<auth-constraint> is constrainting a particular resource to a particular role using the <role-name> tag.

Take care constraining is not at the role level.It is role+httpmethod


SCJP1.4(96%) SCWCD1.4(92%)
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi James,
From where do we find the role of the user in tomcat-users.xml?
Can you please help me?
Thanks.
James Mark
Ranch Hand

Joined: Jul 05, 2007
Posts: 115
<tomcat-users> tag in tomcat-users.xml contains a nested <user> tag...
As an example.
<user name="JamesMark" password="007Gun$" roles="Admin,Guest">

Upon login we give username and password it is being mapped into the above
one and Container get the information that JamesMark has two roles ie Admin and Guest.

Now
<auth-constraint>Admin</auth-constraint>

allows JamesMark to access the urlpattern say
<url-pattern>/Bank/AddUser/*</url-pattern> defined in the one or many
<web-resource-collection> elements in the <security-constraint>.
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi Mark,
<auth-constraint>Admin</auth-constraint>



You had mentioned Admin within auth-constraint which is an error. It should have been

<auth-constraint>
<role-name>Admin<role-name>
</auth-constraint>

Thanks.
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi,
Am I right?
Thanks.
khushhal yadav
Ranch Hand

Joined: Jun 20, 2007
Posts: 242

Yes Priya

You are right.

And kajal

<auth-constaint> is concernd about constrianing the request on the resource not the resource. Please ammend it.
while <security-role> is defining the various roles defined for the application.

Regards,
Khushhal


rgrds,
Khushhal
Padma priya Gururajan
Ranch Hand

Joined: Oct 05, 2006
Posts: 434
Hi Khushal,
Thanks.
James Mark
Ranch Hand

Joined: Jul 05, 2007
Posts: 115
sorry it was a Friday and was planning to reach home fastly at that point in time....
sorry for the mistake.....
Ken Truitt
Ranch Hand

Joined: Aug 23, 2007
Posts: 124
Just working from my notes, I think it might be the case that
the relevant tag in tomcat-users.xml is

<role rolename="guest"/>

which is slightly different than the element in the auth-constraint
tagset:

<role-name>"guest"</role-name>

It helps to take note of this to avoid confusion.

Ken


SCJP 88% | SCWCD 84%
 
 
subject: auth-constraint vs security-role