身份验证和授权之间有区别吗? [英] Is there a difference between authentication and authorization?

问题描述

我看到这两个术语被混淆了很多(特别是在基于网络的场景中，但我想不限于此)，我想知道是否有区别.

I see these two terms bandied about quite a bit (specifically in web-based scenarios but I suppose it's not limited to that) and I was wondering whether or not there was a difference.

在我看来，它们都意味着你可以做你正在做的事情.那么这只是一个命名法，还是在含义上存在根本差异?

It appears to me that they both mean you're allowed to be doing what you're doing. So is this just a nomenclature thing, or is there a basic difference in meaning?

推荐答案

确实存在根本区别.身份验证是系统可以安全地识别其用户的机制.身份验证系统试图提供以下问题的答案:

There is indeed a fundamental difference. Authentication is the mechanism whereby systems may securely identify their users. Authentication systems seek to provide answers to the questions:

• 谁是用户?
• 用户真的是他们声称/代表的人吗?

相比之下，授权是系统确定特定(经过身份验证的)用户对系统控制的资源应具有的访问级别的机制.对于可能与基于 Web 的场景相关或不相关的示例，可能会设计一个数据库管理系统，以便为某些特定的个人提供从数据库中检索信息的能力，但不能更改存储在数据库中的数据的能力.数据库，同时赋予其他人更改数据的能力.授权系统提供了以下问题的答案:

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular (authenticated) user should have to resources controlled by the system. For an example that may or may not be related to a web-based scenario, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

• 用户 X 是否有权访问资源 R?
• 用户 X 是否被授权执行操作 P?
• 用户 X 是否有权对资源 R 执行操作 P?

Steve Riley 写了一篇很好的文章，说明为什么他们必须保持独特.

Steve Riley has written a quite good essay on why they must remain distinct.

这篇关于身份验证和授权之间有区别吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！