These terms are usually confusing to a novice computer user. I got a lot questions about it during the summer training last month and thought that it would be nice to have a small piece about it on my blog. I would like to make the differences very clear.
Authentication is the process of identifying users based on credentials and ensuring that the users are who they claim to be.Generally this is done through a username and password, that are checked against a known
list of users. There are three Distinct types of Authentication:
- FormAuthenticate allows you to authenticate users based on form POST data. Usually this is a login form that users enter information into.
- BasicAuthenticate allows you to authenticate users using Basic HTTP authentication.
- DigestAuthenticate allows you to authenticate users using Digest HTTP authentication.
However you should know that there are many authentication methods that exist X.509 certificates etc
Choosing an AuthenticationType
Generally you’ll want to offer form based authentication. It is the easiest for users using a web-browser to use. If you are building an API or webservice, you may want to consider basic authentication or digest authentication. The key differences between digest and basic authentication are mostly related to how passwords are handled. In basic authentication, the username and password are transmitted as plain-text to the server. This makes basic authentication un-suitable for applications without SSL, as you would end up exposing sensitive passwords. Digest authentication uses a digest hash of the username, password, and a few other details. This makes digest authentication more appropriate for applications without SSL encryption. You can also use authentication systems like openid as well.
Authorization is the process of ensuring that an identified/authenticated user is allowed to access the resources they are requesting. This is done through roles that are checked against a known list of permissions to the resources. Using roles is the best way of implementing authorizations but you should know that authorization can also be applied to the username. Authorization is always applied after authentication and this means that having access does not necessarily mean having permission to anything. You might as well have access (Authentication) and you cant do anything (No Authorization).