1
1
M
M
a
a
i
i
n
n
T
T
e
e
r
r
m
m
s
s
I
I
n
n
f
f
o
o
Security is all about preventing Subject to have direct access to Restricted Resource (indicated with red dashed line).
Instead Subject has to take a longer root
● by first providing Credentials in order to Authenticate himself
● and then receiving Authorities which specify which Restricted Resource it can access
Subject is something that wants to access restricted Resource like
● Person, User, Process, Application
Restricted Resource is something that can be accessed only by specific Subjects and can be
● Room, Application, URL, Endpoint
Credentials are security related items used to Authenticate Subject. They answer question: "Who are you?". They can be
● Username, Password, Temporary Code, ID Card, Bank Card, Token
Authentication is process of uniquely identifying Subject by using Credentials.
● Authentication answers the question: "Who are you?" => By using Credentials
Identity/Principal is something that uniquely identifies Subject (after it has been Authenticated) like
● ID, Username, Email, Phone Number
Authorization defines which restricted Resource are accessible to Subject/Principal
● Authorization answers question: "What are you allowed to do?" => By using Authorities & Roles
Authorities/Roles are assigned to both Principals and Restricted Resources to control access to Restricted Resources.
Main Terms
Credentials
Principal
Restricted
Resource
Subject
Authorization
Authentication
Username, Password
ID, Username, Email
URL, Endpoint
Person, Application
Authorities
Roles
