Chapter 4: Secure Authorization and Authentication
| | ||
| | ||
| | ||
Overview
Often in Web systems, some information must be accessible to a certain person or group of people and other information must be accessible to another group or all users. The task of giving access to information in each particular case is closely related to authentication and authorization.
| Definition | Authentication is checking whether a user is the person that he or she claims to be. Authentication uses information that only the user can give. |
In Web systems, authentication most often uses a pair of values: the user name (login) and the password that proves the user is the person he or she claims to be. It is assumed that only the user knows his or her password.
More complicated and reliable methods of authentication (e.g., biometric ones) are known. However, they aren't used in Web systems.
| Definition | Authorization is checking whether a user has a right to perform a certain action or has access to certain data. Authorization is usually preceded by authentication. |
Authorization can be based on several methods, including the following:
-
Authorization with distribution of users over groups. The users are divided into groups, and the right to perform certain actions and access certain data is defined for each group.
-
Authorization with access levels. Each user is assigned an access level, and each document or action is assigned a minimum access level required from a user to gain access to the document or to perform the action.
-
Authorization with an access table. For each document or action, a user is assigned a value that determines whether he or she has access to the document or the right to perform the action.
In other words, for each document or action, a list of users that have access to the document or the right to perform the action is defined.
| | ||
| | ||
| | ||
