Authentication is the process of determining a user's identity. Often, authentication is described as forcing users to prove that they are who they claim to be. Authorization is the process of assigning permissions and restrictions to a given user after the user has been authenticated. If authentication fails, the user probably won't be able to use the application at all. If authorization fails, the requested action is aborted. In the Windows operating system, for example, users are authenticated at startup when they supply a username and password combination. Authorization is performed for operations such as deleting a file or attempting to launch Control Panel. Authentication and authorization are what most programmers think of first when they tackle security. Using authentication and authorization, you can create an application that provides different features to different user classes. The distributed application programmer has two options when incorporating authentication into an application:
Windows authentication enables you to use built-in operating system services to manage and verify users. Some of the reasons you might use Windows authentication include the following:
A custom authentication system is generally the most flexible, scalable, and portable choice (meaning it can easily be migrated to a new system), but it also requires the most work. Custom authentication almost always works in tandem with a database. The reasons developers use custom authentication include the following:
In the enterprise world, Windows authentication is most often used when you're Web-enabling an internal application. In this situation, most users will already have login accounts. Custom authentication is the system of choice when your application is serving a third-party audience (such as eager e-shoppers) rather than a known audience of employees or associates. That said, it is possible to use custom authentication with an internal audience. This approach (which you'll see again in the Chapter 18 case study) is particularly common when you need to store additional information about a user in a database or audit a user's actions. It's also possible, but impractical, to use Windows authentication with a large audience. One key stumbling block is that you have no easy way to provide self-registration (for example, a sign-up page on a Web site that enables customers to create their own accounts). |