Authentication ?? & Authorization?
Parita Patel
ISTQB certified(Agile ext. and Foundation) | Automation | Manual | Javascript |Typescript | PHP | Cypress | Playwright | Selenium | Behat | Jenkins | Teamcity | API | JMeter |K6 | SAAS | Salesforce | eCommerce
Recently I started learning Security Testing, and I came across the terms "Authentication" and "Authorization." And I thought of sharing my understanding here:
Authentication: In my understanding, only if you have valid credentials(Username and Password) or key to access the application or system, then the system can ensure if you are an authenticated user of that application or system.
But, there are chances that anyone might steal your credentials or secret key and access the system or application ??.
To prevent unauthenticated users(or hackers) from accessing the system/application, some organizations implement Multi-factor authentication or create a strict validation to access the system like Biometrics.
Authorization: When you are privileged to access the options, for example, "Dashboard," or any content of the system, then we can say you are an authorized person to access the dashboard or the content of the system.
Authorization is generally categorized based on the roles and permissions.
Let us assume, a user having an admin role will be privileged or will have permissions to access all options and rights to add/edit/update/delete the system's content.
In the same system, a user having an end-user role will have limited permission and rights. They can only view the content and can not add/edit/update/delete the content.
When we use both Authorization and Authenticated terms together in a system, we can say that an authorized user must be an authenticated user. But an authenticated user may or may not be authorized to access all the features of the application.
Authentication is something to identify who you are, and Authorization is to identify what permissions you have.
We can compare it with a real-life scenario, a secretary of an office may have the correct key to unlock the head office. But they may not have permission to access the computer system of the Boss of the company. So the secretary is an authenticated person of the company but not an authorized person to access all the company's system. In comparison, a Boss is an authenticated as well as an authorized person of the company.
I tried to explain it from my understanding. Please share if you have a different perspective to explain these terms or have some amazing ?? examples to make it easier to understand.
C,C++,Java, J2EE, Python,Oracle 19c, HTML,CSS, Javascript, Selenium Testing ,API Testing, Spring Boot, Hibernate ,Microservices, Angular 16,Manual testing,Node Js, Express Js,React Js, MongoDB, Nextjs, AWS
2 年Really useful and helpful for Testers.
Senior Software Engineer @ LibelluleMonde | Passionate about Embedded, IoT & Edge Computing | Machine Learning | Python Django, Computer Vision, AWS | Ex L&T, Xylem Inc.
4 年Nice explanation ! ????