Identity: Authentication, Resources: Authorization
By ajitsabnis on Dec 02, 2006
Entities, PrincipalsA Principal is an entity that accesses your application with certain authorizations (privileges, access rights). A Principal may be
- one human being or one computer program
- more than one human being or computer programs
When a Principal is associated with more than one entities, it is referred as RolePrincipal (or Role in abstract sense).
Principal = Authorizations, privileges, access rights == One entity
RolePrincipal = Authorizations, privileges, access rights == Many entities
Same entity may have many Principals or RolePrincipals.
One entity == Many Principals
One entity == Many RolePrincipals
Entity without (known or established) association to any Principal or
RolePrincipal is "authless" or "anonymous" or "authless-anonymous"
entity. Authless entity may be a Principal/RolePrincipal incarnation,
but most of the times absence of Principal/RolePrincipal incarnation
serves the purpose.
To establish your (entity's) association to any Principal or RolePrincipal, you need to log in to the system, or to authenticate yourself. Once authenticated, you're a Principal/RolePrincipal incarnation.
"Identity" means such established association between you (a living thing) and the Principal/RolePrincipal incarnation (object) in the system. Identity may be authless or authenticated.
Identity and ResourcesA Resource does something for you (you being an entity), or you tell the Resource to do something. You need to be authorized to do something using the Resource, or even to access it, hold it in your hand, or to know about it.
You MAY need to be a Principal or RolePrincipal to do something using the Resource. That is, you MAY need to log in or to authenticate to the system to use the Resource. MAY indicates that some Resources can be used by authless users. That is, a Resource can be accessed or used by either authless or authenticated identities.
AuthorizationAssociating collection of access rights or privileges(lets say some strings) to Principal or RolePrincipal helps the system determine if the real entity can access or use the Resource(s).
Two ways of defining such association:
- Declarative: Yes/No, On/Off
Programmatic way allows levels of authorization, but your Resource(/program) needs to alter its behavior based on who you are. Program needs to have the intelligence to use identity, and allow that identity to perform something.