Introduction to Spring Security
Overview
Spring Security is a framework that when integrated with the spring framework gives the capability to the application of having a standard way of authentication and authorization (access control) mechanism.
It consists of many pre-built ways of authentication and authorization that are given by the spring security developer ranging from in-memory authentication to JDBC authentication and many more. It is easily configurable and extendable to meet the needs of a specific application.
It can be used for any type of application from desktop/standalone to web applications and using it we can setup application security in a few hours.
Spring Security works in a self-contained manner which means that every file that is needed by spring security framework is present in your application when you configure spring security in your application and there is no need of any special configuration/policy file that needs to be added to the JVM or there is no need to add spring security to common classpath location.
In Technical terms, spring-security for web application is nothing but a chain of servlet filters that are stacked on one another in a specified order depending on the security needs of an application.
What is Authentication?
Many people still get confused when the word authentication comes in the picture so before diving, in detail of authentication in spring security that you can read in my up-coming article we would first get a clear understanding of what does authentication actually means.
So authentication in lay man's language is when a person tries to access some resources(data) that is restricted then he/she needs to get identified and verified so that the system can confirm whether the user is actually the right person to do so.
One of the most common examples of authenticating a person in an application is by using the username and password that a user decides on there own at the time of the creation of their account in an application.
So at the time when you log in to Facebook or Instagram by providing username and password, you are getting authenticated by the application so that it can decide whether you are allowed to enter the application or not.
What is Authorization?
Once a person is authenticated by the application then the next step comes is authorization.
So authorization is determining the extent of a user to access the restricted resources. The application ensures that the user is only allowed to access parts of the resource that he/she is allowed to.
This means that even if a user is authenticated and gets entry into the application he/she can only access a limited version of the resource depending on the level of clearance the user has for the application.
For example in a 10 story government building suppose a person with an identity card has access of 1st to 8th floors then if he/she tries to access 9th or 10th floor the security guard (system security portion/code) wouldn’t allow that person after seeing the identity card which tells that the user is not allowed on these floors. So even if the person has the right to enter the building that does not mean that he/she has access to all the floors of the building. Same way if a user is authenticated to enter a system that does mean he/she is allowed to access all the resources of the system.
The authorization mechanism is sometimes also called an access control mechanism.
Thanks for reading this article. It’s my point of view on authentication, authorization and spring security. If you have some other point of view please mention in the comments section.
My next article is on how does spring security actually performs the authentication mechanism from the architecture and implementation point of view. In which I have covered most of the core interfaces and classes that are used by spring security to implement the authentication mechanism. The link to that article is given below:
To get in touch with me you can mail me on “abhijit.chopra5@gmail.com”.
