Any security model that is implemented must gather two pieces of information before granting anybody access to the system. First, it must determine who is attempting to access the resource, and once known, what this person is allowed to do. The act of determining who requests access to the resource is user authentication, and knowing what they are allowed to do is user authorization.
To explain the interaction between these two elements, let's consider a standard communication between a client requesting a service from GeoServer and GeoServer sending a response to this service. The following sequence diagram shows the flow across this common transaction:
A user makes a request for a service from GeoServer; for example, this might be issuing a WMS GetMap request, or perhaps a WFS-T insert transaction. GeoServer determines whether the service is secured, and then acts accordingly.
If the service is not secured (1.), then GeoServer allows the service request to...