Authorization, authentication, and friends
The security of a web application is a vast topic. Although (web) frameworks often offer built-in security measures to overcome some common vulnerabilities such as XSS attacks and SQL injections, various other aspects of web application security are the responsibility of engineers building on top of the framework. In this book, we focus on the latter group.
Let’s begin by differentiating between the two most popular and commonly confused concepts: authorization and authentication.
Authentication versus authorization
The meaning of life of every web application is to serve user requests (note that a user is not necessarily a human), and, in most cases, we restrict which requests are available to a particular user and which must be forbidden. The underlying decision-making process could be divided into two phases, which can be represented by the following questions:
- Who’s there?: Or, on behalf of which domain entity...
