Identity: Authentication, Resources: Authorization

Entities, Principals

A Principal is an entity that accesses your application with certain authorizations (privileges, access rights). A Principal may be
  • one human being or one computer program
  • more than one human being or computer programs
A string name identifies a Principal.
When a Principal is associated with more than one entities, it is referred as RolePrincipal (or Role in abstract sense).

That is,
Principal = Authorizations, privileges, access rights == One entity
RolePrincipal = Authorizations, privileges, access rights == Many entities

Same entity may have many Principals or RolePrincipals.
That is,
One entity == Many Principals
One entity == Many RolePrincipals
Login (Authentication)
Entity without (known or established) association to any Principal or RolePrincipal is "authless" or "anonymous" or "authless-anonymous" entity. Authless entity may be a Principal/RolePrincipal incarnation, but most of the times absence of Principal/RolePrincipal incarnation serves the purpose.

To establish your (entity's) association to any Principal or RolePrincipal, you need to log in to the system, or to authenticate yourself. Once authenticated, you're a Principal/RolePrincipal incarnation.

"Identity" means such established association between you (a living thing) and the Principal/RolePrincipal incarnation (object) in the system. Identity may be authless or authenticated.

Identity and Resources

A Resource does something for you (you being an entity), or you tell the Resource to do something. You need to be authorized to do something using the Resource, or even to access it, hold it in your hand, or to know about it.

You MAY need to be a Principal or RolePrincipal to do something using the Resource. That is, you MAY need to log in or to authenticate to the system to use the Resource. MAY indicates that some Resources can be used by authless users. That is, a Resource can be accessed or used by either authless or authenticated identities.
Authorization
Associating collection of access rights or privileges(lets say some strings) to Principal or RolePrincipal helps the system determine if the real entity can access or use the Resource(s).

Two ways of defining such association:
  • Declarative: Yes/No, On/Off
  • Programmatic
Declarative is sort of "binary" authorization. You get access to Resource if you are authorized, otherwise you don't know that the Resource exists.

Programmatic way allows levels of authorization, but your Resource(/program) needs to alter its behavior based on who you are. Program needs to have the intelligence to use identity, and allow that identity to perform something.

<script type="text/javascript" language="javascript"> var sc_project=1731913; var sc_invisible=0; var sc_partition=16; var sc_security="2f7c65d8"; </script> <script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script>
Comments:

花木租摆 礼仪公司 交通

Posted by 花卉租摆 on June 19, 2007 at 02:57 PM IST #

鲜花礼品 google搜索排名 鲜花礼品

Posted by scape on July 04, 2007 at 12:07 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

ajitsabnis

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today