Transcript for:
Understanding Core Concepts of Spring Security

in this video you will learn five key concepts and terms associated with spring security that you'll really need to know when you learn spring security you'll encounter these core terms and concepts over and over so in this video I'll break these sums down and explain them for you so that you know exactly what they mean [Music] the first two terms are so commonly used in the context of security that it's kind unlikely that you haven't heard them before they are authentication and authorization to understand authentication and authorization you also need to understand the difference between the two so let's tackle these two terms together what is authentication and what is authorization I usually like to imagine spring security as being this watchman or security card in front of your web application and stopping every request going in the security guard typically asks two questions who are you and what do you want and it is your job to answer the security card those two questions if you are requesting something from your web application you answer the first question who are you by telling the guard who you are note that just telling the guard isn't enough here you also have to prove it proof of who you are as usually by providing some kind of ID something that only you can provide and an impersonator can't and then you answer the second question what do you want by just stating what you want or what you would like to do you don't need to provide any proof for the second part because there's really no point in anyone lying here you can only possibly get what you ask for so answering the first question who are you is what's called authentication most web applications have some representation of an ID you open like a Facebook or LinkedIn these sites usually have an ID or an account in their system that kind of uniquely corresponds to you so when you access the site you need to tell it which of those millions of accounts in the system that it has that corresponds to you after you tell it which account is associated with you you also need to prove to the application that it is indeed you a common way this is done is by providing your user ID and password it's a way for you to say hey application here is the secret password that I told you when I created the account here is the same secret password again to prove that it is indeed me this type of authentication is called knowledge based authentication the authentication is based on knowledge that you have this can be a password or a pin code or an answer to a personal question or some other secret that you know the biggest advantage of knowledge-based authentication is that it's simple and it's effective for the most part however it does come with a disadvantage if somebody steals your password or somehow finds out what your password is they can impersonate as you all that uniquely added device you is the single piece of string value there are however other authentication mechanisms in place though like position based authentication this is for example when an app sends you a text message and asks you to enter it it's trying to identify if you are in possession of something that the real user should be in position off in this case your phone because phones are slightly harder to steal than passwords other examples of position based authentication include key cards or Vlad just that you used to swipe and enter buildings the idea is that only the real you can possibly be in position of this card so if your card is used to swipe to get into a building it's likely to be you who's trying to enter that building some apps do a combination of knowledge-based and position based authentication using what's referred to as multi-factor authentication enter your password and then verify your text message write two-factor authentication multi-factor authentication so that's authentication basically answering the question who are you of course with proof that you are actually who you say you are now let's move on to authorization this is the security guard examining what you want and then deciding if you are allowed to do that in other words it's answering the question can this user do what they're trying to do it's a kinda like a yes or a no answer for a given operation the user might be able to do one particular operation and they may not be able to do another operation let me give you an example consider a retail store application everyone who works in the store can log into the application and use it they can authenticate with their user ID and password but once they've authenticated what each person can do in the application really depends on who that user is a store clerk for example can probably access point-of-sale functionality or check if something is in stock a department manager can probably see how his or her particular Department is doing and the store manager can see everything across the store across all departments so every time anybody accesses anything in the application the app is doing this binary yes or no to arrive at an answer to the question should this user be allowed to do this operation it also has mechanisms in place to block the user from doing any operation that they are not allowed to do this a LOF yes or no decision depending on who the user is and what they're trying to do is called authorization so in a way for authorization you kind of need authentication first you need to know who the user is first before being able to make a decision on whether or not that particular user can do something or not so this is authentication and authorization and the fundamental difference between them these two terms are not specific to Spring Security by the way they're widely used in the software space in general and they mean kind of the same thing all right concept number three this is also a spring security concept but it's used in some other frameworks as well the term is principle we've talked about how authentication is the process of identifying a person trying to access the application the principle is a person you have identified through the process of authentication in other words a principle is the currently logged end user a principle is also a person I really used to hate in primary school but that's a different story in the context of spring security it is this currently logged-in user it is that unique information or account in the system that you tie to a specific person in the context of the application once you are tentacle with any application say by giving your user ID and password the application establishes the principle and it remembers it this is the reason why you authenticate with an application only once and you don't need to enter your user ID or password for like every request or page load because that would be really annoying yeah that's because app remembers the principle as the currently logged in user in the context of the application this term in the context of the application is super important they may not be a one-to-one mapping between a user or a human being and a principle ok take Google for example a single person can create multiple Google accounts so Google has multiple email ids or accounts sitting in the system that actually respond to one user when the user logs into Google let's say they're using the credentials of account a then the principal corresponds to account a there is a currently logged in user which corresponds to a County then the user can switch their current log into account B and the principal corresponds to account B so the best way to think of a principle is as the currently logged in user or currently logged in account okay on to the fourth term and the fourth concept we've looked at how authentication happens knowledge base are position based or whatever else the hardest authorization happen how does the application decide whether or not to allow a particular access well that has to be coded in beforehand obviously the application owner or maintainer should have specified beforehand okay if the user is this allow them to use only these actions the user is this I love them only these other actions so it's like a bunch of permissions that are allowed for a given user in spring security this concept of permission is called Authority or granted Authority authorization Authority get it the user is trying to do something in an application and the application will allow or authorize them to do it only if the user has been granted authority to do so picking that retail store example again the store clerk has the following authority do checkout make store announcements the department's manager has authorities do checkout mixed or announcements few department financials view department inventory the store manager probably has all these authorities plus things like view store financials these are authorities these are fine-grained permissions of what the user can do you can configure these authorities in spring security for users and spring security takes care of the rest any operation that hasn't been specified explicitly as permitted for a given user well the user just cannot do the operation they can have access to only the operations allowed beforehand or otherwise the default response is no now here is the thing with granted authorities most of the times for most applications theory usually to fine-grained let's say the retail store hires five store clerks now each of these store clerk someone has to assign all the right authorities every time every time a store manager is hired someone has to make sure all the right authorities have been assigned to them so this can be tedious this is where you create the concept of roles role is pretty much like a group of authorities that are usually assigned together so here you create something like a role store clerk and assign all the authorities that the store clerk should have so when a store clerk is hired you assign them to this role and automatically they get all the authorities for that role role Department manager is a role that groups together all the permissions that a department manager should have see this makes things super simple as well as makes things consistent rules are more coarse-grained permission and like the fine-grained permissions that authorities have I should mention that with spring security both these concepts of authority and role are often used interchangeably in most cases the difference is literally in just a naming convention used you will see similar api's work both with authorities and roles but remember that the concept differs mainly in how fine-grained the permission is fine-grained permissions are authorities more coarse-grained grouping of permissions are trolls so these are the five spring security concepts authentication authorization principle granted Authority and roles these are what you can control that spring security you'll be interacting with the framework to configure all these different things the authentication authorization identifying the principle specifying authorities and roles and so on but the thing is you don't have to do any of this configuration to add spring security spring security can be very simply just added to any spring boot application and it has some secure out-of-the-box behavior without you having to configure anything really check this video out to learn how to add spring security to your Spring good application and you'll see a very interesting behavior that happens to your application once you do that check out this video and I'll see you there [Music]