Key Concepts in Spring Security

Introduction

• Overview of five core terms and concepts crucial for understanding Spring Security.
• These terms are frequently encountered in the context of Spring Security.

Authentication and Authorization

• Authentication
  • Process of verifying identity.
  • Involves answering "Who are you?"
  • Requires proof of identity (e.g., user ID, password).
  • Types of authentication:
    • Knowledge-based: Relies on information the user knows (passwords, PINs).
    • Possession-based: Involves something the user has (text message codes, key cards).
    • Multi-factor Authentication: Combines multiple authentication types.
• Authorization
  • Determines what a user can do after authentication.
  • Answers "What are you allowed to do?"
  • Example: Different levels of access in a retail application depending on user roles (clerk, manager).
  • Requires authentication to execute.

Principle

• The entity that is authenticated and represents the currently logged-in user.
• Example: Different Google accounts for the same user.

Granted Authority

• Represents permissions assigned to a user.
• Permissions need to be predefined for authorization.
• Example: Store clerks with specific permissions such as checkout and announcements.

Roles

• Grouping of authorities for simplified management.
• Coarse-grained compared to fine-grained authorities.
• Roles make assigning permissions easier and more consistent.
• Example: A role for a store clerk encompasses all necessary authorities for that position.
• While often used interchangeably with authorities, roles refer to grouped permissions.

Conclusion

• Summary of the five concepts: Authentication, Authorization, Principle, Granted Authority, and Roles.
• Spring Security allows configuration of these elements but also offers default secure behavior out of the box.
• Encouragement to explore adding Spring Security to a Spring Boot application for secure default functionality.