`
zgqynx
  • 浏览: 1371518 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Authentication vs. Authorization<转> 验证和授权的区别

    博客分类:
  • java
阅读更多
Authentication vs. Authorization
原文如下:
http://www.duke.edu/~rob/kerberos/authvauth.html
Authentication vs. Authorization

It is easy to confuse the mechanism of authentication with that of authorization. In many host-based systems (and even some client/server systems), the two mechanisms are performed by the same physical hardware and, in some cases, the same software.

It is important to draw the distinction between these two mechanisms, however, since they can (and, one might argue, should) be performed by separate systems.

What, then, distinguishes these two mechanisms from one another?

Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:

    * Who is the user?
    * Is the user really who he/she represents himself to be?


An authentication system may be as simple (and insecure) as a plain-text password challenging system (as found in some older PC-based FTP servers) or as complicated as the Kerberos system described elsewhere in these documents. In all cases, however, authentication systems depend on some unique bit of information known (or available) only to the individual being authenticated and the authentication system -- a shared secret. Such information may be a classical password, some physical property of the individual (fingerprint, retinal vascularization pattern, etc.), or some derived data (as in the case of so-called smartcard systems). In order to verify the identity of a user, the authenticating system typically challenges the user to provide his unique information (his password, fingerprint, etc.) -- if the authenticating system can verify that the shared secret was presented correctly, the user is considered authenticated.

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

    * Is user X authorized to access resource R?
    * Is user X authorized to perform operation P?
    * Is user X authorized to perform operation P on resource R?


Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources.

Figure I, below, graphically depicts the interactions between arbitrary authentication and authorization systems and a typical client/server application.

FOUR-BLOCK DIAGRAM OF CLIENT/SERVER AUTHENTICATION AND AUTHORIZATION
Figure I

In the diagram above, a user working at a client system interacts with the authentication system to prove his identity and then carries on a conversation with a server system. The server system, in turn, interacts with an authorization system to determine what rights and privileges the client's user should be granted.

Next Page
分享到:
评论

相关推荐

    hbase 权限配置.docx

    &lt;name&gt;hbase.security.authentication&lt;/name&gt; &lt;value&gt;simple&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hbase.security.authorization&lt;/name&gt; &lt;value&gt;true&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hbase....

    aspnet中web.config配置节点详解.rar

    - `&lt;authentication&gt;`:用于配置应用程序的用户验证方式,如Windows身份验证、Forms身份验证等。 - `&lt;authorization&gt;`:控制用户访问特定资源的权限,可以基于角色或用户名进行授权。 - `&lt;sessionState&gt;`:...

    认识ASP.NET配置文件Web.config

    这个XML文本文件包含了各种设置,例如身份验证、授权、编译、自定义错误处理和HTTP运行时参数等,使得开发者能够根据需求调整应用程序的行为。 一、Web.config的基本结构与继承机制 Web.config文件通常位于Web应用...

    springmvc+shiro配置教程

    * Authorization:授权,表示用户的权限控制。 五、Shiro的授权机制 Shiro的授权机制基于角色的访问控制,主要包括以下几个步骤: * 用户认证:用户输入用户名和密码,Shiro对用户进行身份验证。 * 角色分配:...

    ConfigWeb.rar

    5. `&lt;authentication&gt;`:用于定义用户身份验证方式,如Windows身份验证、Forms身份验证等。 6. `&lt;authorization&gt;`:控制访问权限,可以设置哪些用户或角色可以访问特定的URL。 7. `&lt;sessionState&gt;`:管理会话状态,...

    net基础学习:ASPNET的WebConfig文件中的元素

    1. `&lt;authentication&gt;`元素 用于定义用户身份验证方式,常见的有Windows身份验证、Forms身份验证和Passport身份验证。例如,Forms身份验证常用于网站登录,通过`&lt;forms&gt;`子元素设置登录页面、超时时间等。 2. `...

    Web.config详解+asp.net优化

    对于安全性,可以设置 `&lt;authentication&gt;` 和 `&lt;authorization&gt;` 配置来控制用户的登录和访问权限。 总之,Web.config 文件是 ASP.NET 开发者的重要工具,它提供了丰富的配置选项,允许开发者根据需求定制应用程序...

    security+jcaptcha(验证码)+mybatis框架搭建

    - **授权(Authorization)**:根据用户的权限来决定是否允许访问某个资源。 在配置文件中可以通过以下方式引入Spring Security相关的依赖: ```xml &lt;dependency&gt; &lt;groupId&gt;org.springframework.security&lt;/groupId&gt;...

    身份验证和授权

    ### 身份验证和授权详解 #### 一、身份验证概览 身份验证是网络安全中的一个核心环节,它确保只有经过认证的用户才能访问特定的资源和服务。在本篇文章中,我们将详细介绍三种主要的身份验证方式,并重点讲解Forms...

    asp.net 身份认证

    在ASP.NET 1.1中,配置Forms身份验证需要手动编辑`web.config`文件,设置`&lt;authentication&gt;`和`&lt;authorization&gt;`节。例如,以下配置会启用Forms身份验证,设置登录页面为`Login.aspx`,并拒绝匿名用户访问: ```xml...

    asp.net WEB.CONFIG form验证

    2. `&lt;forms&gt;`: 这是一个嵌套在`&lt;authentication&gt;`下的元素,用于详细配置Forms身份验证。可以设置如loginUrl(登录页面的URL)、timeout(会话超时时间)、name(cookie的名称)和protection(cookie保护类型,如All...

    站长 IIS7 的 web.config 配置

    1. **身份验证**:`&lt;authentication&gt;`节用于设置用户身份验证方式,如Windows身份验证、基本身份验证或 Forms 身份验证。例如: ```xml &lt;authentication mode="Forms"&gt; &lt;forms loginUrl="~/Login.aspx" timeout=...

    asp .net(C#) web.config配置

    - `&lt;authentication&gt;`:定义用户身份验证方式,如Windows、Forms或Passport。 - `&lt;authorization&gt;`:控制用户访问应用程序的权限,可以基于角色或用户名设置允许或拒绝访问。 - `&lt;compilation&gt;`:配置编译设置,...

    webconfig详解 带例子

    - `&lt;system.web&gt;`:处理ASP.NET特定的配置,如身份验证、授权、会话状态等。 - `&lt;appSettings&gt;`:存储应用程序特定的设置,如数据库连接字符串、API密钥等。 - `&lt;connectionStrings&gt;`:管理数据库连接信息。 - `...

    【SpringBoot】廿三、SpringBoot中整合Shiro实现权限管理.docx

    Apache Shiro是一个轻量级的安全框架,它提供了一套完整的安全API,包括身份验证(Authentication)、授权(Authorization)、会话管理(Session Management)以及加密(Cryptography)功能。下面我们将详细探讨如何...

    dotnet2_0配置文件中的元素

    其中有许多子元素,如`&lt;authentication&gt;`(身份验证模式)、`&lt;authorization&gt;`(权限控制)、`&lt;compilation&gt;`(编译设置)和`&lt;httpRuntime&gt;`(HTTP运行时设置)。 5. **&lt;system.diagnostics&gt;** 元素:用于配置日志...

    ASP.NET配置文件Web.config 详细解释

    - `&lt;authentication&gt;`元素用于设置ASP.NET的身份验证模式,常见的有Windows、Forms、Passport和None。例如,设置基于表单的身份验证,可以阻止未登录用户访问受保护的页面,并将他们重定向到登录页面: ```xml ...

    SpringSecurity_day03.pdf

    Spring Security 是一个功能强大的安全框架,它为基于 Java 的应用程序提供了身份验证(authentication)、授权(authorization)、CSRF 保护、登录和注销功能等功能。它能帮助开发者快速地为应用增加安全特性。 ##...

    Web.config配置文件详解

    例如,可以使用`&lt;authentication&gt;`、`&lt;authorization&gt;`和`&lt;roleManager&gt;`元素来控制用户登录、访问权限和角色分配。 6. **HTTP模块和处理程序**:`&lt;httpModules&gt;`和`&lt;httpHandlers&gt;`元素用于注册自定义的HTTP模块和...

    Web.config配置文件详解[定义].pdf

    它还包括许多其他配置元素,如`&lt;httpRuntime&gt;`(用于设置ASP.NET的HTTP运行时行为)、`&lt;compilation&gt;`(编译相关设置)、`&lt;authentication&gt;`和`&lt;authorization&gt;`(控制用户身份验证和授权的策略)以及`&lt;sessionState...

Global site tag (gtag.js) - Google Analytics