Authentication versus Authorization
What's the difference in web applications? In short, please.
I see the abbreviation "auth" a lot. Does it stand for auth -entication or auth -orization? Or both?
Authentication is the process of ascertaining that somebody really is who he claims to be.
Authorization refers to rules that determine who is allowed to do what. Eg Adam may be authorized to create and delete databases, while Usama is only authorised to read.
The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.
In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.
In short, please. :-)
Authentication = login + password (who you are)
Authorization = permissions (what you are allowed to do)
Short "auth" is most likely to refer either to the first one or to both.
As Authentication vs Authorization puts it:
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
Authorization , by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
See also:
上一篇: 是否可以使用摘要
下一篇: 身份验证与授权