- 浏览: 1371518 次
- 性别:
- 来自: 北京
文章分类
- 全部博客 (551)
- 计划 (4)
- java (115)
- oracle (60)
- ajax (3)
- javascript (64)
- 计算机操作技巧集 (11)
- 近期关注话题 (10)
- 随想 (13)
- html (6)
- struts (15)
- hibernate (16)
- spring (2)
- game (0)
- Eglish (10)
- DisplayTag (6)
- jsp (18)
- css (3)
- eclipse (3)
- 其他知识 (8)
- 备用1 (12)
- 备用2 (1)
- 笑话-放松心情 (9)
- 设计 (1)
- 设计模式 (1)
- 数据结构 (0)
- office办公软件 (5)
- webwork (0)
- tomcat (2)
- MySql (1)
- 我的链接资源 (5)
- xml (2)
- servlet (0)
- PHP (13)
- DOM (0)
- 网页画图vml,canvas (1)
- 协议 (2)
- 健康 (3)
- 书籍下载 (1)
- jbpm (1)
- EXT (1)
- 自考 (2)
- 报表 (4)
- 生活 (64)
- 操作系统基础知识 (2)
- 测试 (2)
- guice (1)
- google学习 (2)
- Erlang (1)
- LOG4J (2)
- wicket (1)
- 考研 (1)
- 法律 (1)
- 地震 (1)
- 易学-等等相关 (1)
- 音乐 (1)
- 建站 (4)
- 分享说 (3)
- 购物省钱 (0)
- linux (1)
最新评论
-
zenmshuo:
如果使用SpreadJS这一类的表格工具,应该能更好的实现这些 ...
js中excel的用法 -
hjhj2991708:
第一个已经使用不了
jar包查询网站 非常好用! -
jiangmeiwei:
...
中文乱码 我的总结 不断更新 -
gary_bu:
...
response.sendRedirect 中文乱码问题解决 -
hnez:
多谢指点,怎么调试也不通,原来我在<body>&l ...
ExtJs IE ownerDocument.createRange() 错误解决方案
Authentication vs. Authorization
原文如下:
http://www.duke.edu/~rob/kerberos/authvauth.html
Authentication vs. Authorization
It is easy to confuse the mechanism of authentication with that of authorization. In many host-based systems (and even some client/server systems), the two mechanisms are performed by the same physical hardware and, in some cases, the same software.
It is important to draw the distinction between these two mechanisms, however, since they can (and, one might argue, should) be performed by separate systems.
What, then, distinguishes these two mechanisms from one another?
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
* Who is the user?
* Is the user really who he/she represents himself to be?
An authentication system may be as simple (and insecure) as a plain-text password challenging system (as found in some older PC-based FTP servers) or as complicated as the Kerberos system described elsewhere in these documents. In all cases, however, authentication systems depend on some unique bit of information known (or available) only to the individual being authenticated and the authentication system -- a shared secret. Such information may be a classical password, some physical property of the individual (fingerprint, retinal vascularization pattern, etc.), or some derived data (as in the case of so-called smartcard systems). In order to verify the identity of a user, the authenticating system typically challenges the user to provide his unique information (his password, fingerprint, etc.) -- if the authenticating system can verify that the shared secret was presented correctly, the user is considered authenticated.
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
* Is user X authorized to access resource R?
* Is user X authorized to perform operation P?
* Is user X authorized to perform operation P on resource R?
Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources.
Figure I, below, graphically depicts the interactions between arbitrary authentication and authorization systems and a typical client/server application.
FOUR-BLOCK DIAGRAM OF CLIENT/SERVER AUTHENTICATION AND AUTHORIZATION
Figure I
In the diagram above, a user working at a client system interacts with the authentication system to prove his identity and then carries on a conversation with a server system. The server system, in turn, interacts with an authorization system to determine what rights and privileges the client's user should be granted.
Next Page
原文如下:
http://www.duke.edu/~rob/kerberos/authvauth.html
Authentication vs. Authorization
It is easy to confuse the mechanism of authentication with that of authorization. In many host-based systems (and even some client/server systems), the two mechanisms are performed by the same physical hardware and, in some cases, the same software.
It is important to draw the distinction between these two mechanisms, however, since they can (and, one might argue, should) be performed by separate systems.
What, then, distinguishes these two mechanisms from one another?
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
* Who is the user?
* Is the user really who he/she represents himself to be?
An authentication system may be as simple (and insecure) as a plain-text password challenging system (as found in some older PC-based FTP servers) or as complicated as the Kerberos system described elsewhere in these documents. In all cases, however, authentication systems depend on some unique bit of information known (or available) only to the individual being authenticated and the authentication system -- a shared secret. Such information may be a classical password, some physical property of the individual (fingerprint, retinal vascularization pattern, etc.), or some derived data (as in the case of so-called smartcard systems). In order to verify the identity of a user, the authenticating system typically challenges the user to provide his unique information (his password, fingerprint, etc.) -- if the authenticating system can verify that the shared secret was presented correctly, the user is considered authenticated.
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
* Is user X authorized to access resource R?
* Is user X authorized to perform operation P?
* Is user X authorized to perform operation P on resource R?
Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources.
Figure I, below, graphically depicts the interactions between arbitrary authentication and authorization systems and a typical client/server application.
FOUR-BLOCK DIAGRAM OF CLIENT/SERVER AUTHENTICATION AND AUTHORIZATION
Figure I
In the diagram above, a user working at a client system interacts with the authentication system to prove his identity and then carries on a conversation with a server system. The server system, in turn, interacts with an authorization system to determine what rights and privileges the client's user should be granted.
Next Page
发表评论
-
TilesRequestProcessor - Tiles definition factory found for request processor ''
2011-11-03 15:39 2508TilesRequestProcessor - T ... -
jar包查询网站 非常好用!
2009-12-28 11:47 13399java jar包查询 根据类查询所在的java包 http ... -
tomcat 启动错误 java.lang.UnsupportedClassVersionError: Bad version number in .class
2009-11-27 08:53 2260请访问http://ddgrow.com/bad-versio ... -
arrayToString
2009-04-07 09:01 1425原文:http://leepoint.net/notes-ja ... -
native2ascii
2009-04-02 12:00 1197D:\>native2ascii 中国 \u4e2d\u ... -
java swing 架构
2009-03-04 15:03 2326下面是偶尔找到的一篇 相当好的文章 ,针对 java swin ... -
红帽企业5序列号
2009-02-27 09:11 2549这是从[url]http://www.21codes.com/ ... -
中文乱码 我的总结 不断更新
2009-02-23 09:51 2310java中文乱码问题 1、jsp中文乱码 <0& ... -
websphere 数据库连接
2009-02-19 17:47 2133问个问题: 应用服务器: websphere 连接池:pr ... -
打开java控制台的方法
2009-02-10 17:10 3065D:\Program Files\Java\jre6\bin\ ... -
log4j weblogic 问题
2009-01-21 15:08 1948问题是这样的 最初在tomcat5.5下面开发,使用了log ... -
log4j weblogic 问题
2009-01-21 15:07 0问题是这样的 最初在tomcat5.5下面开发,使用了log ... -
java.lang.NoClassDefFoundError in quartz
2008-12-24 15:35 2927quartz-1.5.2.jar tomcat5.5 当使 ... -
java 得到运行时系统中的内存信息
2008-12-19 20:54 1534这个在tomcat下面使用过,在引记录下来,以后方便查找 Ru ... -
log4j
2008-12-13 11:32 905讲解了用xml配置,还有例子,以及对 levelmin lev ... -
servlet 2.3 规范
2008-12-02 20:55 0servlet 2.3 规范 http://www.orio ... -
session 问题
2008-11-26 16:41 1007问个问题,如下: 我要在一个A系统中,通过一个弹出窗口,超链接 ... -
java 反编译工具
2008-10-08 11:03 2002从哪找到的给忘了,用起来不错,放在这里,以后找起来方便 ,有需 ... -
thinking in java 读书笔记
2008-10-06 22:09 1345记录下来,以便以后查看 thinking in java 4t ... -
RSA 算法 java版本<转>
2008-09-23 18:28 2426原文地址:http://www.cs.princeton.ed ...
相关推荐
<name>hbase.security.authentication</name> <value>simple</value> </property> <property> <name>hbase.security.authorization</name> <value>true</value> </property> <property> <name>hbase....
- `<authentication>`:用于配置应用程序的用户验证方式,如Windows身份验证、Forms身份验证等。 - `<authorization>`:控制用户访问特定资源的权限,可以基于角色或用户名进行授权。 - `<sessionState>`:...
这个XML文本文件包含了各种设置,例如身份验证、授权、编译、自定义错误处理和HTTP运行时参数等,使得开发者能够根据需求调整应用程序的行为。 一、Web.config的基本结构与继承机制 Web.config文件通常位于Web应用...
* Authorization:授权,表示用户的权限控制。 五、Shiro的授权机制 Shiro的授权机制基于角色的访问控制,主要包括以下几个步骤: * 用户认证:用户输入用户名和密码,Shiro对用户进行身份验证。 * 角色分配:...
5. `<authentication>`:用于定义用户身份验证方式,如Windows身份验证、Forms身份验证等。 6. `<authorization>`:控制访问权限,可以设置哪些用户或角色可以访问特定的URL。 7. `<sessionState>`:管理会话状态,...
1. `<authentication>`元素 用于定义用户身份验证方式,常见的有Windows身份验证、Forms身份验证和Passport身份验证。例如,Forms身份验证常用于网站登录,通过`<forms>`子元素设置登录页面、超时时间等。 2. `...
对于安全性,可以设置 `<authentication>` 和 `<authorization>` 配置来控制用户的登录和访问权限。 总之,Web.config 文件是 ASP.NET 开发者的重要工具,它提供了丰富的配置选项,允许开发者根据需求定制应用程序...
- **授权(Authorization)**:根据用户的权限来决定是否允许访问某个资源。 在配置文件中可以通过以下方式引入Spring Security相关的依赖: ```xml <dependency> <groupId>org.springframework.security</groupId>...
### 身份验证和授权详解 #### 一、身份验证概览 身份验证是网络安全中的一个核心环节,它确保只有经过认证的用户才能访问特定的资源和服务。在本篇文章中,我们将详细介绍三种主要的身份验证方式,并重点讲解Forms...
在ASP.NET 1.1中,配置Forms身份验证需要手动编辑`web.config`文件,设置`<authentication>`和`<authorization>`节。例如,以下配置会启用Forms身份验证,设置登录页面为`Login.aspx`,并拒绝匿名用户访问: ```xml...
2. `<forms>`: 这是一个嵌套在`<authentication>`下的元素,用于详细配置Forms身份验证。可以设置如loginUrl(登录页面的URL)、timeout(会话超时时间)、name(cookie的名称)和protection(cookie保护类型,如All...
1. **身份验证**:`<authentication>`节用于设置用户身份验证方式,如Windows身份验证、基本身份验证或 Forms 身份验证。例如: ```xml <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" timeout=...
- `<authentication>`:定义用户身份验证方式,如Windows、Forms或Passport。 - `<authorization>`:控制用户访问应用程序的权限,可以基于角色或用户名设置允许或拒绝访问。 - `<compilation>`:配置编译设置,...
- `<system.web>`:处理ASP.NET特定的配置,如身份验证、授权、会话状态等。 - `<appSettings>`:存储应用程序特定的设置,如数据库连接字符串、API密钥等。 - `<connectionStrings>`:管理数据库连接信息。 - `...
Apache Shiro是一个轻量级的安全框架,它提供了一套完整的安全API,包括身份验证(Authentication)、授权(Authorization)、会话管理(Session Management)以及加密(Cryptography)功能。下面我们将详细探讨如何...
其中有许多子元素,如`<authentication>`(身份验证模式)、`<authorization>`(权限控制)、`<compilation>`(编译设置)和`<httpRuntime>`(HTTP运行时设置)。 5. **<system.diagnostics>** 元素:用于配置日志...
- `<authentication>`元素用于设置ASP.NET的身份验证模式,常见的有Windows、Forms、Passport和None。例如,设置基于表单的身份验证,可以阻止未登录用户访问受保护的页面,并将他们重定向到登录页面: ```xml ...
Spring Security 是一个功能强大的安全框架,它为基于 Java 的应用程序提供了身份验证(authentication)、授权(authorization)、CSRF 保护、登录和注销功能等功能。它能帮助开发者快速地为应用增加安全特性。 ##...
例如,可以使用`<authentication>`、`<authorization>`和`<roleManager>`元素来控制用户登录、访问权限和角色分配。 6. **HTTP模块和处理程序**:`<httpModules>`和`<httpHandlers>`元素用于注册自定义的HTTP模块和...
它还包括许多其他配置元素,如`<httpRuntime>`(用于设置ASP.NET的HTTP运行时行为)、`<compilation>`(编译相关设置)、`<authentication>`和`<authorization>`(控制用户身份验证和授权的策略)以及`<sessionState...