Chapter 8 -- Practical Authentication and Authorization

This chapter discusses pragmatic authentication and authorization from an application design point of view. As we described in Chapter 1, "Security 101," authentication is the process of verifying the identity of a principal, such as a user or a computer. Authorization is the process of confirming that an authenticated principal is allowed predetermined access to one or more resources. For example, one user might be allowed read and write access to a file, and another might be allowed read access only. Sometimes authorization is referred to as access control. However, we'll make an important distinction between the two: authorization determines whether an authenticated principal has access to a resource, and access control determines access based on conditions not directly related to the principal. For example, access control consideration might include time-of-day information—you might prohibit access to resources between midnight and 3 A.M.

The subjects we'll cover in this chapter include the following:

• Where to perform authentication and authorization
• A security best practice
• Application vs. operating system identity flow
• Relative Internet Information Services (IIS) authentication performance
• Example authentication and authorization scenarios
• Microsoft Passport
• A warning about passwords and custom authentication