-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of Gareth Jones
Sent: Friday, August 16, 2002 6:36 AM
To: [EMAIL PROTECTED]
Subject: Re: Authentication versus Authorization
They are authentication methods.
Authentication is the container checking that you are who you calim to be - ie "enter a password or go away"
Authorisation is the container saying "OK I know who you are - i'm going to check that you are allowed to use this servlet/web-page/resource"
So in your web.xml you define the authentication method - BASIC, DIGEST, FORM or CLIENT-CERT which tells the container what to prompt you with for you to enter a password - ie basic 64bit encryption logon, 124bit encryption, Custom login form, or Client Certificate.
Then you define Web-resource-collections which define collections of URLs. You specify the ROLES which are allowed to use the collections (ie Authorised) then at deployment time
you map these roles to actual users/groups in the OS or LDAP.The 1st time you attempt to use a secured resource (ie one whose URL falls into one of the web-resource-collections) the container will check to see if you have been AUTHENTICATED - eg if you're using LDAP it will check to see if you have an LDAP cookie. If not it will intercept the request and redirect it to the login method specified - eg custom form. Then after you have successfully logged in the container will check that your user profile is in a role which is AUTHORISED to use the requested resource.
You therefore cant be authorised to use a secured resource until the container has first authenticated your ass!
hope that helps
>From: Tom Kochanowicz <[EMAIL PROTECTED]> >Reply-To: "A mailing list for discussion about Sun Microsystem's Java Servlet API Technology." <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Authentication versus Authorization >Date: Thu, 15 Aug 2002 21:15:13 -0500 > > Does anyone have a clear explanation of what the difference is between >Authentication versus Authorization when it comes to the web.xml deployment >descriptor? I am confusted about the authorization method>sub-element of . For example BASIC, DIGEST, FORM and >CLIENT-CERT are the authorization methods...but later I see an explanation >that these are the authentication methods. > >___________________________________________________________________________ >To unsubscribe, send email to [EMAIL PROTECTED] and include in the body >of the message "signoff SERVLET-INTEREST". > >Archives: http://archives.java.sun.com/archives/servlet-interest.html >Resources: http://java.sun.com/products/servlet/external-resources.html >LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
Join the world’s largest e-mail service with MSN Hotmail. Click Here
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
Thanks
for the clear description Gareth.
- Authentication versus Authorization Tom Kochanowicz
- Re: Authentication versus Authorization Gareth Jones
- Tom Kochanowicz
