Spring Security
When you are making an API you are opening a door to the world. As we know the world is full of good and bad people, so we need to secure our data from bad guys. So we need to add multilayer security.
Simple Security
In the real world, we hire a security guard. The security guard asks two questions from every one
- Who are you?
- What do you want?
Spring security can provide us same role as a security guard. For example
- Only allow login and logout
- Only certain paths are exposed to the logged-in user
- User need to be logged in and should have a certain role to perform a certain operation
Common scenarios are usually handled by spring boot.
Following are five important concepts related to secuity
- Authentication
It is the related identity of a person. Usually, we enter user names and passwords to identify ourselves. It is knowledge based authentication.Some times we use our mobile or devices to identify ourselves this is called possesstion based authentication. Some times we used both,that is called multifactor authentication.
2. Authorization
It means what person have which rights.For example in a system all people may be can login but all will not have the access to all data.
3.Principle
It means the current logged in users.
4.Granted authorization
It is list containing all person and their authorization
5.Group of authorities or roles
Instead of maintaining list of granted authorties we keep list of all users and their roles
each role = Granted Authorties