Authentication versus Authorization
Web应用程序的上下文有什么区别?我经常看到缩写"auth"。它代表身份验证还是身份验证?或者两者都是?
Authentication is the process of ascertaining that somebody really is who they claim to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases,
while Usama is only authorised to read.
号
这两个概念是完全正交和独立的,但是它们都是安全设计的核心,如果不能正确地选择其中一个,就可能导致妥协。
在Web应用程序方面,非常粗略地说,身份验证是指检查登录凭据以查看是否识别登录的用户,而授权是指在访问控制中查找是否允许用户查看、编辑、删除或创建内容。
请简而言之。-)
Authentication = login + password (who you are)
Authorization = permissions (what you are allowed to do)
号
简短的"auth"很可能指的是第一个或两个。
正如认证与授权所说:
Authentication is the mechanism
whereby systems may securely identify
their users. Authentication systems
provide an answers to the questions:
- Who is the user?
- Is the user really who he/she represents himself to be?
Authorization, by contrast, is the
mechanism by which a system determines
what level of access a particular
authenticated user should have to
secured resources controlled by the
system. For example, a database
management system might be designed so
as to provide certain specified
individuals with the ability to
retrieve information from a database
but not the ability to change data
stored in the datbase, while giving
other individuals the ability to
change data. Authorization systems
provide answers to the questions:
- Is user X authorized to access
resource R?- Is user X authorized to
perform operation P?- Is user X
authorized to perform operation P on
resource R?
号另请参见:
- 维基百科上的认证与授权
比起身份验证和授权,我更喜欢验证和权限。
在我的头脑和代码中,更容易想到"验证"和"权限",因为这两个词
- 听起来不一样
- 没有相同的缩写
验证是验证,授权是检查权限。auth可以是二者之一,但更常用于"用户认证",即"用户认证"。
这种混淆是可以理解的,因为这两个词听起来很相似,而且这些概念经常紧密联系在一起并一起使用。另外,正如前面提到的,缩写auth没有帮助。
其他人已经很好地描述了身份验证和授权的含义。这里有一个简单的规则来帮助保持这两个明显的分开:
- Authentication validates your Identity (or authenticity, if you prefer that)
- Authorization validates your authority, i.e. your right to access and possibly change something.
号
我试着用最简单的语言创造一个形象来解释这一点。
1)认证是指"你说你是谁?"
2)授权是指"你能做你想做的吗?".
这在下图中也有描述。
。
我试着用最好的术语解释它,并创造了一个相同的形象。
认证是对所宣布的身份进行验证的过程。
- 例如用户名/密码
通常之后是授权,即您可以执行此操作和执行此操作的批准。
- 例如权限
身份验证是验证登录用户名和密码的过程。
授权是验证您是否可以访问某些内容的过程。
添加到@kerrek的答案中;
身份验证是通用形式(所有员工都可以登录到计算机)
授权是专门的形式(但管理员只能在计算机中安装/卸载应用程序)
氧化镁
在此处阅读更多信息