authentication vs. Authorization Certification vs. Authorize
from http://www.oit.duke.edu/~rob/kerberos/authvauth.html
Authentication and authorization mechanisms are easily confusing. In many host-based systems (even in some C/s systems), these two mechanisms are performed by the same physical hardware and, in some cases, by the same software.
It is very important to extract the distinction between the two mechanisms. However, since they can (or should ) be able to run in different systems, how to distinguish between these two mechanisms.
Authentication is a system whereby users in the system can be securely identified.
The certification system provides answers to the following questions:
L who is the user
Is this user really the user he/she represents?
The authentication system may be as simple as a plaintext cipher system (which can refer to some older pc-based FTP servers), and can be as complex as a Kerberos system described elsewhere in some documents. However, in any case, the authentication system depends on the information of a unique authenticated individual and the authentication system known (or available)-a shared secret. Such information may be a canonical cipher, some physical properties of the individual (fingerprints, retinal vascular patterns, etc.), or some derived data (as is the case with the so-called smartcard system). To verify the identity of the user, the authentication system usually requires the user to provide his unique information (passwords, fingerprints, etc.). If the authentication system can verify that the secret of sharing is properly displayed, the user is considered to have passed the certification.
In contrast, authorization is the mechanism by which the system determines what level of access a particular and authenticated user should have to the resources protected by the system. For example, a database management system may be designed to provide a certain number of people with the ability to extract data from a database without modifying the data in the database, but to give other people the ability to change data. The certification system provides answers to the following questions:
L User X is authorized to access resource R.
L User X is authorized to perform action p.
L User X is authorized to perform operations on resource R p.
Authentication and authorization are some strong coupling mechanisms-the authorization system depends on a secure authentication system to ensure that the user is the user they declare and prevents unauthorized users from accessing the protected resource.
Figure 1 below, graphically describes the interaction between arbitrary authentication and authorization systems, and it is also a typical C/s application.
Above, the user working on the client system interacts with the authentication system to prove his identity, and then the server system launches a conversation. The server system interacts with the authorization system in turn to determine what permissions the client's users should be granted.