What's the difference between auth-constrain and security-role?

Question

What's the difference between:

<auth-constraint><role-name>tomcat</role-name></auth-constraint>

and:

<security-role><role-name>tomcat</role-name></security-role>

in a security constraint declaration?

For example if I'm defining BASIC authentication as below, which should I use?

<login-config><auth-method>BASIC</auth-method></login-config>

Answer 1

The fundamental difference is between the authentication mechanism which is addressed by auth-method - authentication is the means for an application to confirm "are you really who you say you are?" - authentication mechinisms can be of many types but there are some that are supported out of the box by a standard servlet container - one that you have pointed out is BASIC - which is what prompts a browser to prompt a dialogue box for logging in - this should ideally not be used in prod scenarios as it transfers your credentials in plain text to the server also it is not customizable in any browser that I know off. Typically in prod scenarios FORM is used along with setting up SSL at the server or other infrastructure layer. FORM is highly customizable and most popular when the out of the box feature of servlet web-container authentication is used.

The Role Name is an abstraction which will eventually be used by the application code to perform authorization. "Ok, so you are who you say you are, but are you allowed to access this page, button, or the web application?" - How the application handles this internally is not an ask here but there are Declarative (Annotation based) Servlet APIs and Server specific mappings are involved here. Here is a way to do so programmatically - How to get user roles in a JSP / Servlet