I surf to a website's administration interface, and provide my username and password. After that, i've been granted access to the admin application. What actions have surely been taken? POSSIBLE ANSWERS: * Signing * Verification * Authentication (CORRECT) * Authorization (CORRECT) * Auditing i think authorization is not right answer.
SCJP<br />SCWCD<br />SCEA
Ajith Kallambella
Sheriff
Joined: Mar 17, 2000
Posts: 5781
posted
0
I agree. It is too vague. username/password suggests that it is authentication but "granting aceess" can have a broad meaning. It can mean you have been presented with an interface to the application. But have you been authorized to perform something? I hope the real exam precludes such confusing questions.
Open Group Certified Master IT Architect.
Sun Certified Architect(SCEA).
Bhushan Jawle
Ranch Hand
Joined: Nov 22, 2001
Posts: 247
posted
0
If you are browsing as an administrator dosen't that also mean you are authorized to use all admin services and could see corresponding menu which a normal user won't. Thanks, Bhushan
Ajith Kallambella
Sheriff
Joined: Mar 17, 2000
Posts: 5781
posted
0
But what if there are additional levels of privileges within admin functions?
Andrew Spruce
Greenhorn
Joined: Feb 27, 2001
Posts: 21
posted
0
Surely Authentication is not an all or nothing thing. Like a previous poster said, gaining access to the admin console presumes some sort of authentication has taken place (although there is nothing to say this screen is not available to all logged in users).
Jack Coleman
Ranch Hand
Joined: Apr 08, 2002
Posts: 32
posted
0
I would argue that the answer is correct. In the real world, authentication without any kind of authorization after the fact buys you what? A username/password to protect nothing is kind of pointless if you ask me. Lets say I have an expensive color printer on my network and I didn't care who in the world connected to it and use up all of the expensive ink. I would not need either authentication or authorization. On the other hand, if I wanted to limit the printer resource (authorization) I would protect it with a username/password (authentication). When would you have one without the other?
Tell me, Mr. Anderson, what good is a phone call when you are unable to speak?
Sridhar Srikanthan
Ranch Hand
Joined: Jan 08, 2003
Posts: 366
posted
0
Correct me if I am wrong.... I am trying to give a difference between authentication and authorization Taking the example of a website. Authentication is to enter the website to use its regualr features. Gives you a way to keep track of who are accessing and what is the traffic. Authorization is having various access levels to users. Suppose, all users are not supposed to use all the features on the site. An administrator has certain functions, a visitor has certain functions, a designer has certain functions. So what i feel is Authorization provides with various levels of access whereas authentication gives you access. Hope I am clear Sri
Jack Coleman
Ranch Hand
Joined: Apr 08, 2002
Posts: 32
posted
0
Taking the example of a website. Authentication is to enter the website to use its regualr features.
You just said it yourself, "to use its regular features". That denotes authorization. You authenticate yourself to the website, and you are then authorized to use its regular features. If you are not authenticated, then you are not authorized to use anything. I think that there is a distinction between the two, but I also think that they are so tightly coupled that you can't have one without the other. Am I worng about this?
Sanjay Raghavan
Ranch Hand
Joined: May 14, 2002
Posts: 148
posted
0
In general, we use the following three terms: 1. Identification 2. Authentication 3. Authorization. Identification is when you identify yourself to the server. The most common way this occurs is via a user_id. You identify yourself to the server as Sanjay or Ajith or whoever. Authentication is the way the server authenticates that it is indeed Sanjay or Ajith. How does this happen? Typically via a password. (There can be other examples - client side SSL authentication e.t.c.) I am just trying to get the idea across. Once the user has been identified and authenticated, s/he has to have the authorization to perform various tasks. Normally that is done by associating the user to a group/role and assigning previledges to that group/role. Authorization can be different in each tier - e.g. Web Tier authorization (What links are avl to the user), EJB tier (what methods can this user access), EIS Tier (what schemas can this user query...) and so on. HTH.
Sanjay Raghavan<br />SCJP2, SCEA-J2EE<br />Moderator - <a href="http://groups.yahoo.com/group/scea_prep" target="_blank" rel="nofollow">SCEA PREP</a><br />Co-Author - <a href="http://www.whizlabs.com/scea/scea.html" target="_blank" rel="nofollow">SCEA@Whiz</a><br /><i>Where did you sip your Java Today?</i>
Jack Coleman
Ranch Hand
Joined: Apr 08, 2002
Posts: 32
posted
0
Sanjay, could you answer the question? Is there any reason for identification or authentication if there is nothing to be authorized to use? Is there any example where you provide a password to get access to nothing? I can't think of one.
Chris Mathews
Ranch Hand
Joined: Jul 18, 2001
Posts: 2712
posted
0
Originally posted by Jack Coleman: Sanjay, could you answer the question? Is there any reason for identification or authentication if there is nothing to be authorized to use? Is there any example where you provide a password to get access to nothing? I can't think of one.
Sure there is. One common reason for doing this is to keep an audit trail. Another reason is for personalization.
Jack Coleman
Ranch Hand
Joined: Apr 08, 2002
Posts: 32
posted
0
Ok, that makes sense. Thanks for those examples. So to go back to the original post:
I surf to a website's administration interface, and provide my username and password. After that, i've been granted access to the admin application. What actions have surely been taken? POSSIBLE ANSWERS: * Signing * Verification * Authentication (CORRECT) * Authorization (CORRECT) * Auditing
0
