Authentication and Authorization in JavaWhat is Authentication?Authentication is the process of verifying the credentials a user provides with those stored in a system to prove the user is who they say they are. If the credentials match, then we grant access. If not, we deny it. Methods of AuthenticationSingle Factor authentication: This is often used as the authentication process for lower risk systems. You only need a single factor to authenticate, with the most common being a password, so it's more vulnerable to phishing attacks and key loggers. 2-Factor Authentication: This method is more secure, as it comprises two factors of authentication - typically something we know, for example username and password, plus something we have / own, for example a phone SMS or a security token. For 2-factor authentication, we would enter a one-time SMS password sent to our device, or perhaps a linked authenticator app code and provide an ever-changing access code. As we can imagine, this is a lot more secure than simply entering a password, or a single authentication credential. We would need to know the login credentials, as well as have access to the physical device for the second part. 2-factor authentication has become very common amongst online services in recent years, and with many large companies it is the default authentication method. Many require that we setup 2-factor authentication in order to even utilize the service. Multi-Factor Authentication: Going one step further to make our authentication process even more secure is having 3 or more factors. This form of authentication usually works on the premise of:
For these reasons, multi-factor authentication offers the most protection, as we would need to compromise multiple factors, and these factors are a lot more difficult to "hack" or replicate. The downside to this method of authentication, and the reason it's not utilized in many average systems, is it can be cumbersome to setup and maintain. So the data / system you're protecting really has to justify the need for such security. What is Authorization?Authorization, is the process of verifying that you're allowed to access an area of an application or perform specific actions, based on certain criteria and conditions put in place by the application. You may also hear it called access control or privilege control. Common Authorization MethodsOnce a user is authenticated, authorization controls are then applied to ensure users can access the data they need and perform specific functions such as adding or deleting information-based on the permissions granted by the organization. These permissions can be assigned at the application, operating system, or infrastructure levels. Two common authorization techniques include: Role-based access controls (RBAC) This authorization method gives users access to information based on their role within the organization. For example, all employees within a company may be able to view, but not modify, their personal information such as pay, vacation time, and 401K data. Yet human resources (HR) managers may be given access to all employees' HR information with the ability to add, delete, and change this data. By assigning permissions according to each person's role, organizations can ensure every user is productive, while limiting access to sensitive information. Attribute-based access control (ABAC) ABAC grants users' permissions on a more granular level than RBAC using a series of specific attributes. This may include user attributes such as the user's name, role, organization, ID, and security clearance. It may include environmental attributes such as the time of access, location of the data, and current organizational threat levels. And it may include resource attributes such as the resource owner, file name, and level of data sensitivity. ABAC is a more complex authorization process than RBAC designed to further limit access. For example, rather than allowing all HR managers in an organization to change employees' HR data, access can be limited to certain geographical locations or hours of the day to maintain tight security limits. How to Implement Authorization?There are many ways to implement authorization depending on the frameworks we are using. Within the .NET framework, for example, you could use role-based access control, or claims-based access control. Role-based access control is centred around the ideology that each user within your system is assigned a role. These roles have predefined permissions associated with them. Being granted a role means that user will automatically inherit all these permissions. The roles are assigned at time of user creation and setup. The endpoint or site simply then checks if the current logged-in user has the role of Admin when attempting to access the admin area. The downside to this approach is that sometimes users are granted too many permissions that they don't need or shouldn't have. For example, giving a user the role of Admin may mean they would have been givenAdvanced Create, Edit, Delete, and View user privileges. Whereas, you may want to only give them View and Basic Create permissions. Claims-based access control can allow for finer tuning of a specific user's permissions. The application can either check that the claim simply exists on a user, or whether a particular value is assigned to the claim. As an example, a claim called CreateUser could be given to a user, and this is checked when creating a user. Or you could assign a value of Advanced to the same claim, and then have different actions and user interface available depending whether the value was Advanced or Basic. Difference Between Authentication and Authorization
ConclusionAs we can see, although authentication and authorization are very different, each plays an integral part in the security and integrity of the application or system. These processes go hand in hand, and without one the other is kind of meaningless. If we can gain access to the Admin area, but do whatever we want once in there, it could lead to big problems. On the other hand, we can't authorize individuals without knowing who they are! Which is why authentication always comes before authorization.
Next TopicCannot Find Symbol Error in Java
|