Authentication and Authorization March 19, 2008Posted by javafoo in general programming, java, javanotes, security.
I sometimes mistake one for the other. Of course a simple search on Google or wikipedia will clear this. But it doesn’t seem to stick with you, unless you understand, assimilate and put it in your own words. So here goes, for me authentication means, the authenticating entity (a server, for ex.) needs to know, that you are, who you say, you are (simplest mechanism: username/password). Authorization is the second stage to authentication: Ok, now I know you are ‘joeblack’ (you have been authenticated), so what are trying to do? what roles do you have (admin, user etc.)? Given your roles, can you do what you are trying to do? There, now I will never mix them up, hopefully.