I’ve talked about authentication many times on ThinkMiddleware.com. It recently occurred to me that I have never devoted a blog post to defining authentication. I’ve had a section on the subject in a couple of different places, but I wanted to have an article to reference from other posts. So, here we will summarize what the concept of authentication is and provide links to some of the ThinkMiddleware.com material that discusses it.
Authentication is the process of an entity(the Principal) proving its identity to another entity (the System). The Principal could be a computer program(a batch job running in the background), an end user (human), a computer system, a piece of hardware, or other exotic things. The System, for our purposes, is any server-side computer system that requires that connecting clients be identified before access is granted. The Principal provides Credentials to the System that must be authenticated by the System using some type of User Repository. Credentials are sensitive information that positively identify the client and could come in many forms:
- Userid and password
- Digital Signature
- X509v3 client certificate
- pin # + random number from a FOB
A User Repository contains information about Users(Principals), their Credentials, Groups, group membership, and other user attributes. An LDAP Server is a typical example of a User Repository.
More detailed descriptions of these concepts can be found here.
Authentication of a Principal for a Web Application generally involves establishing a stateful session where identity needs to be tracked between successive calls by establishing and tracking a session. For a Web Service, the Authentication step typically only applies to a single invocation of a stateless Web Service; although, it is possible (and increasingly common) that the web service invocation is being called within the context of a web application session.
Authentication is further discussed on ThinkMiddleware.com in these posts:
HTTP Client – Form Based Authentication