What's the difference in context of web applications? I see the abbreviation "auth" a lot. Does it stand for auth-entication or auth-orization? Or is it both?
Authentication is the process of ascertaining that somebody really is who they claim to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.
The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.
In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.
In short, please. :-)
Authentication = login + password (who you are)
Authorization = permissions (what you are allowed to do)
Short "auth" is most likely to refer either to the first one or to both.
As Authentication vs Authorization puts it:
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
- Who is the user?
- Is the user really who he/she represents himself to be?
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
- Is user X authorized to access resource R?
- Is user X authorized to perform operation P?
- Is user X authorized to perform operation P on resource R?
See also:
- Authentication vs. authorization on Wikipedia
I prefer Verification and Permissions to Authentication and Authorization.
It is easier in my head and in my code to think of "verification" and "permissions" because the two words
- don't sound alike
- don't have the same abbreviation
Authentication is verification and Authorization is checking permission(s). Auth can mean either, but is used more often as "User Auth" i.e. "User Authentication"
The confusion is understandable, since the two words sound similar, and since the concepts are often closely related and used together. Also, as mentioned, the abbreviation Auth doesn't help.
Others have already described well what authentication and authorization mean. Here's a simple rule to help keep the two clearly apart:
- Authentication validates your Identity (or authenticity, if you prefer that)
- Authorization validates your authority, i.e. your right to access and possibly change something.
I have tried to create an image to explain this in the most simple words
1) Authentication means "Are you who you say you are?"
2) Authorization means "Should you be able to do what you are trying to do?".
This is also described in the image below.
I have tried to explain it in the best terms possible, and created an image of the same.
Authentication is the process of verifying the proclaimed identity.
- e.g. username/password
Usually followed by authorization, which is the approval that you can do this and that.
- e.g. permissions
Adding to @Kerrek's answer;
Authentication is Generalized form (All employees can login in to the machine )
Authorization is Specialized form (But admin only can install/uninstall the application in Machine)
Authentication is the process of verifying your log in username and password.
Authorization is the process of verifying that you can access to something.
Authentication means confirming your own identity. Authentication is about validating your credentials such as Username/User ID and password to verify your identity. The system then checks whether you are what you say you are using your credentials. Whether in public or private networks, the system authenticates the user identity through login passwords. Usually authentication is done by a username and password, although there are other various ways to be authenticated.
Authorization means being allowed access to the system. authorization is the process to determine whether the authenticated user has access to the particular resources.
Read more here
来源:https://stackoverflow.com/questions/6556522/authentication-versus-authorization