Spring Security is a set of bunch of servlet filters that help you add authentication and authorization to your web application which is very much required in today’s modern applications. It integrates with sring mvc, has support for OAuth 2.0 and other technologies.
But what is difference between the two?
Authentication: Here we validate the client or you can say the user with an username and password. Many web applications now a days validate on the basis of an one time password.Authentication confirms that users are who they say they are!!!
Authorization: Here we check if the authenticated user has access to a particular resource or not. Authorization gives those user’s permission to access a resource.
There is also a thing called Principal. Principal in spring security is the currently logged in user. The application remembers the principal once we login.
How authorization happens?
Roles are assigned to users in the back end tables. When authorizing users, the role details are fetched by the authorization manager and then the user is authorized to access the resources on the basis of the roles they have.
For example in a departmental store, the departmental manager may have an manager role and would be authroized to do checkout, make store annoncements etc. The store manager might have an Admin role and have permissions to do checkout, make store annoncements as well close the store.
In the next article, we will deep dive into authentication and authorization and how internally it works.