Spring Security With Authorization#
What Is The Authorization?#
Authorizationis the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged in to a computer operating system or application, the system or application may want to identify what resources the user can be given during this session. Thus,authorizationis sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access. More information.
Authentication And Authorization Differences#
- In
Authenticationthe identification of the user will happen. Suppose, as an application architect, if we want to secure our application in our login page, we will ask our users prove their identity like with their email address passwords and that is whatauthentication. Whereasauthorizationmeans once the authenticated person comes into our application, there might be different roles, access rules that we have defined in our application. Like the user A should act like admin, the user B should act like normal user. So base on upon these authorities, roles we should control what action a user should perform inside our application, that isAuthorization.
| Authentication | Authorization |
|---|---|
| In authentication, the identity of users are checked for providing the access to the system. | In authorization, person's or user's authorities are checked for accessing the resources |
| Authentication done before authorization | Authorization always happens after authentication |
| It needs usually user's login details | It needs user's privilege of roles |
| If authentication fails usually we will get 401 error response | If authorization fails usually we will get 403 error response |
| For example as a Bank customer/employee in order to perform actions in the app, we need to prove our identity | Once logged into the application, user's roles, authorities will decide what kind of actions that user can do |
Understanding And Implementing Authorization#
- Authentication And Authorization Internal Flow
- How Authorities Stored
- Configure Authorities
- Authority And Role In Spring Security
- Configure Roles
- Matchers Methods