在web应用程序中有什么不同?我经常看到缩写“auth”。它是代表认证还是授权?或者两者都有?
当前回答
| Authentication | Authorization | |
|---|---|---|
| What does it do? | Verifies credentials | Grants or denies permissions |
| How does it work? | Through passwords, biometrics, one-time pins, or apps | Through settings maintained by security teams |
| Is it visible to the user? | Yes | No |
| It is changeable by the user? | Partially | No |
| How does data move? | Through ID tokens | Through access tokens |
更详细的答案请参考:https://www.okta.com/identity-101/authentication-vs-authorization/
其他回答
我发现这篇文章中的类比对我很有帮助。
Consider a person walking up to a locked door to provide care to a pet while the family is away on vacation. That person needs: Authentication is in the form of a key. The lock on the door only grants access to someone with the correct key in much the same way that a system only grants access to users who have the correct credentials. Authorization is in the form of permissions. Once inside, the person has the authorization to access the kitchen and open the cupboard that holds the pet food. The person may not have permission to go into the bedroom for a quick nap.
因此,简而言之,认证是关于用户身份的,而授权是关于用户权限的。
正如身份验证vs授权所言:
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be? Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions: Is user X authorized to access resource R? Is user X authorized to perform operation P? Is user X authorized to perform operation P on resource R?
参见:
Wikipedia上的身份验证与授权
身份验证是确定某人确实是他们所声称的那个人的过程。 授权是指决定谁可以做什么的规则。例如,亚当可能被授权创建和删除数据库, 而Usama只被授权阅读。
这两个概念是完全正交和独立的,但它们都是安全设计的核心,如果其中任何一个概念都不正确,就会导致妥协。
就web应用程序而言,简单地说,身份验证是指你检查登录凭证,看看你是否识别出用户已登录,而授权是指你在访问控制中查看是否允许用户查看、编辑、删除或创建内容。
Authentication是一个验证的过程:
系统中的用户身份(用户名、登录名、电话号码、电子邮件……),通过提供证明(密钥、生物识别、短信……)作为扩展的多因素身份验证。 使用数字签名检查电子邮件[关于] 校验和
授权是身份验证之后的下一步。它是关于资源的权限/角色/特权。OAuth(开放授权)是授权的一个例子
简而言之,请。: -)
身份验证=登录名+密码(你是谁) 授权=权限(你被允许做的事情)
简短的“auth”最有可能指的是第一个或两者。
推荐文章
- 令牌身份验证vs. cookie
- JWT vs cookie用于基于令牌的身份验证
- 在php中生成一个随机密码
- java.util.Random和java.security. securerrandom的区别
- Docker和安全密码
- 准备好的语句如何防止SQL注入攻击?
- 为什么人们会写“throw 1;<不要邪恶>”和“for(;;);”在json响应前?
- 非加密用途的最快哈希?
- 为跨源请求设置cookie
- SHA512 vs. Blowfish和Bcrypt
- REST身份验证方案的安全性
- 如何在postgresql中创建数据库用户?
- cer、pvk和pfx文件有什么区别?
- Django设置“SECRET_KEY”的目的是什么?
- 如何从命令行重置Jenkins安全设置?
