A security system gives an administrator the power to protect resources by setting up restrictions on who can do what with the system. All security systems are based on two fundamental concepts: authentication and authorization.
Authentication means proving that you are who you claim to be. Authentication requires that the users of the system have some way of identifying themselves to the system. A familiar example is the identifier/password combination. If you can provide a valid password for an identifier (also called a principal), then you have demonstrated that you are a valid user of that identifier.
The identifier/password combination is probably the most familiar authentication strategy, but it is by no means the only one. Each system can define an authorization strategy to meet its needs. For example, having a valid user's card (like a library card) is sufficient authentication for some systems. Some systems may require no authentication at all, and others may require something as sophisticated as a retinal scan or a DNA match. Each of these strategies is simply a way of proving an identity.
Authentication generally requires two steps:
The validation mechanism varies with the type of information needed. For example, an identifier and password combination is validated against a database of user information (a user registry), and an ID card can be visually inspected for a photograph and an expiration date.
Successful authentication is necessary, but not sufficient, for gaining access to protected resources. After a security system knows who you are, it must use that information to determine what what you are allowed to do.
Authorization is the process of determining what a user is permitted to do. Different classes of users can be given different privileges. For example, everyone can read the online card catalogue of a public library. You don't even have to be an authenticated user of the system. In other words, all users are authorized to read the catalogue. But the system probably restricts the right to borrow books to authenticated users, where authenticated means holding a valid card for this library. Depending on the sophistication of the authentication mechanism, the system can restrict your privileges based on the card you carry. For example, certain users can be authorized to borrow an unlimited number of books, and others are limited in the number they can borrow.
The concepts of authentication and authorization allow the construction of security systems that can be tailored to meet the needs of any class of users and any set of privileges. They can be as simple or as complex as necessary. For example, you can use the built-in authentication and authorization services provided by WebSphere Application Server, and you can implement others if your needs require it.