• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Which one is first? Authentication/Authorisation

Ranch Hand
Posts: 344
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Which one will be checked first? Whether Authentication or Authorization?
I thought first it will do the authentication if success then it will check for authorisation.but after trying some examples I came to know that it is true only when there is atleast one <role-name> is specified in the <auth-constraint>

If there is no <role-name> in the <auth-constraint>, then authorisation is executing first..

Am I right? Any feedback in it, if I am wrong..

And I came to know that only if <auth-constraint> is there authentication will be performed. So,we can't say that using <login-config> alone will take care the authentication.. it' the combination of both <login-config> and <auth-constraint>..am i right?
[ January 16, 2007: Message edited by: Micheal John ]
Ranch Hand
Posts: 1277
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
if you have no resources to authorise...why do you want anyone to authenticate him before he enters your website !
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Declarative Authentication is via the <login-config> (or using request.getRemoteUser() programmatically )

Based on your login preference you can choose any four methods (BASIC,DIGEST,CLIENT-CERT or FORM)
�For testing I go with BASIC. you can specify users and roles in the \Tomcat 5.0\conf\tomcat-users.xml file.
�<user username="abc" password="xyz" roles="manager "/>
�<user username="def" password="def" roles="admin,manager "/>

In your web.xml you can define the

<login-config> <auth-method> BASIC</auth-method></<login-config>

This will take care of your Authentication.

1.The first step to do Authorization is define roles. In tomcat you can define roles in \Tomcat 5.0\conf\tomcat-users.xml file

You define these roles in web.xml so that container can map roles to user


2.Now you can define which resources/methods you want to constraint that you do in web.xml file using security-constraint(declaratively )

Here I authorize only admin role to view a particular page

<role-name>admin </role-name>

now some with admin role is authorize to view the hobby.do page. Ex user �abc� may logon but can�t access hobby.do only user �def� can. I am not listing any methods that means all the methods on this page are constrained

It�s Authentication first (you are who you say you are) then Authorization (you can access what your role determines)

Hope this helps
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic