Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

can not understand

 
Timber Lee
Ranch Hand
Posts: 157
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I surf to a website's administration interface, and provide my username and password.
After that, i've been granted access to the admin application.
What actions have surely been taken?
POSSIBLE ANSWERS:
* Signing
* Verification
* Authentication (CORRECT)
* Authorization (CORRECT)
* Auditing
i think authorization is not right answer.
 
Ajith Kallambella
Sheriff
Posts: 5782
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree. It is too vague.
username/password suggests that it is authentication but "granting aceess" can have a broad meaning. It can mean you have been presented with an interface to the application. But have you been authorized to perform something?
I hope the real exam precludes such confusing questions.
 
Bhushan Jawle
Ranch Hand
Posts: 252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are browsing as an administrator dosen't that also mean you are authorized to use all admin services and could see corresponding menu which a normal user won't.
Thanks,
Bhushan
 
Ajith Kallambella
Sheriff
Posts: 5782
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But what if there are additional levels of privileges within admin functions?
 
Andrew Spruce
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Surely Authentication is not an all or nothing thing. Like a previous poster said, gaining access to the admin console presumes some sort of authentication has taken place (although there is nothing to say this screen is not available to all logged in users).
 
Jack Coleman
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would argue that the answer is correct. In the real world, authentication without any kind of authorization after the fact buys you what? A username/password to protect nothing is kind of pointless if you ask me. Lets say I have an expensive color printer on my network and I didn't care who in the world connected to it and use up all of the expensive ink. I would not need either authentication or authorization. On the other hand, if I wanted to limit the printer resource (authorization) I would protect it with a username/password (authentication). When would you have one without the other?
 
Sridhar Srikanthan
Ranch Hand
Posts: 366
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Correct me if I am wrong....
I am trying to give a difference between authentication and authorization
Taking the example of a website. Authentication is to enter the website to use its regualr features. Gives you a way to keep track of who are accessing and what is the traffic.
Authorization is having various access levels to users. Suppose, all users are not supposed to use all the features on the site. An administrator has certain functions, a visitor has certain functions, a designer has certain functions.
So what i feel is Authorization provides with various levels of access whereas authentication gives you access.
Hope I am clear
Sri
 
Jack Coleman
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Taking the example of a website. Authentication is to enter the website to use its regualr features.

You just said it yourself, "to use its regular features". That denotes authorization. You authenticate yourself to the website, and you are then authorized to use its regular features. If you are not authenticated, then you are not authorized to use anything. I think that there is a distinction between the two, but I also think that they are so tightly coupled that you can't have one without the other. Am I worng about this?
 
Sanjay Raghavan
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In general, we use the following three terms:
1. Identification
2. Authentication
3. Authorization.
Identification is when you identify yourself to the server. The most common way this occurs is via a user_id. You identify yourself to the server as Sanjay or Ajith or whoever.
Authentication is the way the server authenticates that it is indeed Sanjay or Ajith. How does this happen? Typically via a password. (There can be other examples - client side SSL authentication e.t.c.) I am just trying to get the idea across.
Once the user has been identified and authenticated, s/he has to have the authorization to perform various tasks. Normally that is done by associating the user to a group/role and assigning previledges to that group/role. Authorization can be different in each tier - e.g. Web Tier authorization (What links are avl to the user), EJB tier (what methods can this user access), EIS Tier (what schemas can this user query...) and so on.
HTH.
 
Jack Coleman
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sanjay, could you answer the question? Is there any reason for identification or authentication if there is nothing to be authorized to use? Is there any example where you provide a password to get access to nothing? I can't think of one.
 
Chris Mathews
Ranch Hand
Posts: 2712
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jack Coleman:
Sanjay, could you answer the question? Is there any reason for identification or authentication if there is nothing to be authorized to use? Is there any example where you provide a password to get access to nothing? I can't think of one.

Sure there is. One common reason for doing this is to keep an audit trail. Another reason is for personalization.
 
Jack Coleman
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, that makes sense. Thanks for those examples. So to go back to the original post:

I surf to a website's administration interface, and provide my username and password.
After that, i've been granted access to the admin application.
What actions have surely been taken?
POSSIBLE ANSWERS:
* Signing
* Verification
* Authentication (CORRECT)
* Authorization (CORRECT)
* Auditing

It should be correct because of the statements:

provide my username and password
(authentication)
and

i've been granted access to the admin application
(authorization)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic