172 Authentication and Authorization Patterns
172 Authentication and Authorization Patterns
Authentication answers “who are you?” Authorization answers “what are you allowed to do?”
Request Decision Path
request -> authenticate principal -> evaluate policy(resource, action) -> allow/denyDesign Rules
- Keep authn and authz modules separate.
- Default deny when policy is unclear.
- Keep policy inputs explicit and testable.
Reliability-Security Link
Authorization bugs are often logic bugs, not crypto bugs. Clear policy modeling and exhaustive test coverage are the strongest defenses.