Spring Security

When you are making an API you are opening a door to the world. As we know the world is full of good and bad people, so we need to secure our data from bad guys. So we need to add multilayer security.

A simple multilayer security concept

In the real world, we hire a security guard. The security guard asks two questions from every one

  1. Who are you?
  2. What do you want?

Spring security can provide us same role as a security guard. For example

  1. Only allow login and logout
  2. Only certain paths are exposed to the logged-in user
  3. User need to be logged in and should have a certain role to perform a certain operation

Common scenarios are usually handled by spring boot.

  1. Authentication

It is the related identity of a person. Usually, we enter user names and passwords to identify ourselves. It is knowledge based authentication.Some times we use our mobile or devices to identify ourselves this is called possesstion based authentication. Some times we used both,that is called multifactor authentication.

2. Authorization

It means what person have which rights.For example in a system all people may be can login but all will not have the access to all data.

3.Principle

It means the current logged in users.

4.Granted authorization

It is list containing all person and their authorization

5.Group of authorities or roles

Instead of maintaining list of granted authorties we keep list of all users and their roles

each role = Granted Authorties

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store