Authentication 和 Authorization 的区别
背景
我们经常会遇到这两个单词,有些人会有疑惑,但其实他们区分还是比较清晰的。
本人用大白话,用我自己的理解写出
区别
- authentication:是说 “鉴权” 的意思,主要是验证你是谁的问题。一般通过用户名和密码登录来确定你是谁,因为你知道用户名和密码所以你就是这个用户名所代表的人
- authorization:这个一般和 “授权” 有关,你没有authorization去做某个事情,意思是你没权限,并不是说不能确定你是谁
补充
那为什么是 401 是 Unauthorized 而不是 Unautheticated 呢?
这个其实是当初定义这个HTTP Status code的时候搞错了,参考
PS: 关于http的乌龙还有,把请求头的Referrer错误拼写成Referer!只能一直错下去了!
There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.
This is a response generally returned by your web server, not your web application.
It’s also something very temporary; the server is asking you to try again.
So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.
Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”
In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/135118.html
