身份验证与授权 [英] Authentication versus Authorization

问题描述

Web 应用程序的上下文有何不同?我经常看到缩写auth".它代表 auth-entcation 还是 auth-orization?还是两者兼而有之?

What's the difference in context of web applications? I see the abbreviation "auth" a lot. Does it stand for auth-entication or auth-orization? Or is it both?

推荐答案

身份验证是确定某人的真实身份的过程.

Authentication is the process of ascertaining that somebody really is who they claim to be.

授权是指决定谁可以做什么的规则.例如.Adam 可能被授权创建和删除数据库，而 Usama 仅被授权阅读.

Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.

这两个概念是完全正交和独立的，但两者都是安全设计的核心，如果其中一个没有正确，就会打开妥协的途径.

The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.

就网络应用程序而言，粗略地说，身份验证是当您检查登录凭据以查看您是否识别出用户已登录时，授权是当您在访问控制中查找是否允许用户查看时，编辑、删除或创建内容.

In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.

这篇关于身份验证与授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！