Authorization

After we have ascertained the identity of the user, we must check what he is allowed to do. This is called authorization, meaning that the user is authorized to do something.

In a web application, it is important to handle two different aspects. Imagine a web application that has a private area for each user and an administration interface. It is quite obvious that we must prevent access to the administration interface for non-privileged users. This can be done by restricting the accessible paths in an application and granting access to only relevant paths. You will see how to do that with Spring Security's WebSecurityConfigurerAdapter.

Some URLs, however, are accessible to all users, but need to display different content. You would not want other people to see your private data! Some resources may react differently, depending on the user: an article may be limited to 1,000 characters for normal users, but to 4,000 characters for premium users.

To handle this, you need to assign access rights to users, in other words, grant permission. One such model is to assign roles to users (such as USER or ADMIN) and restrict access to resources to certain roles. If you need very fine-grained control, you can also use the more powerful (but, alas, more difficult to handle) Access Control Lists (ACLs). Only in the most complicated scenarios would you need to check this by hand, though. Spring Security offers you some simple annotations to limit access to methods within Spring Beans.