How about both? One of the main things about being on .NET is both of these elements are baked in for you so understanding the distinction isn’t really needed. The thing about the rails world is there is a lot more code plugins so you can mix and match these elements as needed. For ASP.NET you need to roll your own or choose from a very limited supply, which can be like rolling your own.
I have yet to actually decide if I like everything being built into one or not. At this point it really doesn’t matter because I need to know the difference for rails development. The key thing to be effective in rails principles like KISS and DRY mean re-inventing the wheel is not very advisable. It is a good idea to search out plugins/gems for things you want to do. First though we need to understand the differences between Authentication and Authorization.
In the past I have often used this as a term for anything that dealt with dealing with user “stuff”. The more appropriate term is “Access Control”. Authentication is one part where you confirm who you are in any number of ways be it a password, token or a fingerprint. Something is used to verify you are whom you say you are.
I have read through several tutorials and sites on doing authentication and what fits my needs best is devise. I like how many of the features I want are modules that I can choose to use or not. It will also do some of the grunt work I don’t really want to mess with, in the beginning, when it comes to creating controllers and views and routes. Once I messed with it a bit it was actually fairly easy to use and quite fun, if that is possible. The Railscasts videos over devise also helped a lot in figuring it out quicker.
Authorization is when you figure out if someone is actually allowed to do what they are trying to do. This generally comes after someone has been authenticated. The best use case is the idea of roles. An admin can do everything whereas an editor can only do a subset of things. You have to check that the authenticated user is authorized to do what they want to.
Research on authorization plugins lead me to what I feel is one of the most powerful ones around, declarative authorization. It is so powerful my head was spinning in a matter of 5 minutes trying to figure out how it works. Someday I think this one will be very useful, but for now I need something easier which brought me to CanCan, which the Railscasts guy wrote. It seems fairly straight forwards and until I find a better option I will use it.
Authorization with CanCan
One of my biggest holdups when it has come to working on rails apps has been doing the Access Control element. It kind of scared me because it meant so much non-app code to write. I just want to write my application and get going on with life. It is the reason I like to work with ASP.NET MVC I can use the built-in Access Controll elements and I am on my way. Now that I know about the difference of these two elements when dealing with users I can better handle the future of development, and not look dumb when talking to people who know better. Kind of like finally understanding what opinionated software means, but that is a story for another day.