Authentication and Authorization in Java

What is Authentication?

Authentication is the process of verifying the credentials a user provides with those stored in a system to prove the user is who they say they are. If the credentials match, then we grant access. If not, we deny it.

Methods of Authentication

Single Factor authentication:

This is often used as the authentication process for lower risk systems. You only need a single factor to authenticate, with the most common being a password, so it's more vulnerable to phishing attacks and key loggers.

2-Factor Authentication:

This method is more secure, as it comprises two factors of authentication - typically something we know, for example username and password, plus something we have / own, for example a phone SMS or a security token.

For 2-factor authentication, we would enter a one-time SMS password sent to our device, or perhaps a linked authenticator app code and provide an ever-changing access code.

As we can imagine, this is a lot more secure than simply entering a password, or a single authentication credential. We would need to know the login credentials, as well as have access to the physical device for the second part.

2-factor authentication has become very common amongst online services in recent years, and with many large companies it is the default authentication method. Many require that we setup 2-factor authentication in order to even utilize the service.

Multi-Factor Authentication:

Going one step further to make our authentication process even more secure is having 3 or more factors. This form of authentication usually works on the premise of:

  • something we know (username + password or a username + security question and answer)
  • something we have (mobile phone sms, authenticator app, USB key)
  • something we are (like a fingerprint / face recognition)

For these reasons, multi-factor authentication offers the most protection, as we would need to compromise multiple factors, and these factors are a lot more difficult to "hack" or replicate.

The downside to this method of authentication, and the reason it's not utilized in many average systems, is it can be cumbersome to setup and maintain. So the data / system you're protecting really has to justify the need for such security.

What is Authorization?

Authorization, is the process of verifying that you're allowed to access an area of an application or perform specific actions, based on certain criteria and conditions put in place by the application. You may also hear it called access control or privilege control.

Common Authorization Methods

Once a user is authenticated, authorization controls are then applied to ensure users can access the data they need and perform specific functions such as adding or deleting information-based on the permissions granted by the organization. These permissions can be assigned at the application, operating system, or infrastructure levels. Two common authorization techniques include:

Role-based access controls (RBAC)

This authorization method gives users access to information based on their role within the organization. For example, all employees within a company may be able to view, but not modify, their personal information such as pay, vacation time, and 401K data. Yet human resources (HR) managers may be given access to all employees' HR information with the ability to add, delete, and change this data. By assigning permissions according to each person's role, organizations can ensure every user is productive, while limiting access to sensitive information.

Attribute-based access control (ABAC)

ABAC grants users' permissions on a more granular level than RBAC using a series of specific attributes. This may include user attributes such as the user's name, role, organization, ID, and security clearance. It may include environmental attributes such as the time of access, location of the data, and current organizational threat levels. And it may include resource attributes such as the resource owner, file name, and level of data sensitivity. ABAC is a more complex authorization process than RBAC designed to further limit access. For example, rather than allowing all HR managers in an organization to change employees' HR data, access can be limited to certain geographical locations or hours of the day to maintain tight security limits.

How to Implement Authorization?

There are many ways to implement authorization depending on the frameworks we are using.

Within the .NET framework, for example, you could use role-based access control, or claims-based access control.

Role-based access control is centred around the ideology that each user within your system is assigned a role. These roles have predefined permissions associated with them. Being granted a role means that user will automatically inherit all these permissions. The roles are assigned at time of user creation and setup.

The endpoint or site simply then checks if the current logged-in user has the role of Admin when attempting to access the admin area.

The downside to this approach is that sometimes users are granted too many permissions that they don't need or shouldn't have.

For example, giving a user the role of Admin may mean they would have been givenAdvanced Create, Edit, Delete, and View user privileges. Whereas, you may want to only give them View and Basic Create permissions.

Claims-based access control can allow for finer tuning of a specific user's permissions. The application can either check that the claim simply exists on a user, or whether a particular value is assigned to the claim.

As an example, a claim called CreateUser could be given to a user, and this is checked when creating a user. Or you could assign a value of Advanced to the same claim, and then have different actions and user interface available depending whether the value was Advanced or Basic.

Difference Between Authentication and Authorization

AuthenticationAuthorization
In the authentication process, the identity of users is checked for providing the access to the system.While in authorization process, the person's or user's authorities are checked for accessing the resources.
In the authentication process, users or persons are verified.While in this process, users or persons are validated.
It is done before the authorization process.While this process is done after the authentication process.
It needs usually the user's login details.While it needs the user's privilege or security levels.
Authentication determines whether the person is user or not.While it determines What permission does the user have?
Generally, transmit information through an ID Token.Generally, transmit information through an Access Token.
The OpenID Connect (OIDC) protocol is an authentication protocol that is generally in charge of user authentication process.The OAuth 2.0 protocol governs the overall system of user authorization process.
Popular Authentication Techniques-
  • Password-Based Authentication
  • Passwordless Authentication
  • 2FA/MFA (Two-Factor Authentication / Multi-Factor Authentication)
  • Single sign-on (SSO)
  • Social authentication
Popular Authorization Techniques-
  • Role-Based Access Controls (RBAC)
  • JSON web token (JWT) Authorization
  • SAML Authorization
  • OpenID Authorization
  • OAuth 2.0 Authorization
The authentication credentials can be changed in part as and when required by the user.The authorization permissions cannot be changed by user as these are granted by the owner of the system and only he/she has the access to change it.
The user authentication is visible at user end.The user authorization is not visible at the user end.
The user authentication is identified with username, password, face recognition, retina scan, fingerprints, etc.The user authorization is carried out through the access rights to resources by using roles that have been pre-defined.
Example: By verifying their identity, employees can gain access to a human resources (HR) application that includes their personal pay information, vacation time, and 401K data.Example: Once their level of access is authorized, employees and HR managers can access different levels of data based on the permissions set by the organization.

Conclusion

As we can see, although authentication and authorization are very different, each plays an integral part in the security and integrity of the application or system.

These processes go hand in hand, and without one the other is kind of meaningless. If we can gain access to the Admin area, but do whatever we want once in there, it could lead to big problems.

On the other hand, we can't authorize individuals without knowing who they are! Which is why authentication always comes before authorization.






Latest Courses