Is there a difference between authentication and authorization?
I see these two terms bandied about quite a bit (specifically in web-based scenarios but I suppose it's not limited to that) and I was wondering whether or not there was a difference.
It appears to me that they both mean you're allowed to be doing what you're doing. So is this just a nomenclature thing, or is there a basic difference in meaning?
There is indeed a fundamental difference. Authentication is the mechanism whereby systems may securely identify their users. Authentication systems seek to provide answers to the questions:
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular (authenticated) user should have to resources controlled by the system. For an example that may or may not be related to a web-based scenario, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
Steve Riley has written a quite good essay on why they must remain distinct.
Authentication refers to verifying an entity's identity. Authorization deals with what an authenticated entity is allowed to do (eg file permissions).
The main point is:
上一篇: 通用认证/授权模块概念
下一篇: 身份验证和授权有区别吗?