Spring Security | What Is Spring Security? | Authentication and Authorization

Tags:

What Is Authentication?

Authentication is the process of verifying the identity claimed by a person. It confirms that a client is the user they claim to be.

Types of authentication include:

  • Credential-based authentication
    • Most authentication methods used on the web are credential-based.
    • Permission is granted after an authentication process, usually by checking whether an entered username and password match the stored credentials.
    • In Spring Security, the identifier is generally called the principal and the password is called the credential.
  • Two-factor authentication
    • This means authenticating through two methods.
    • For example, online transactions in financial and banking web applications often require both a login and a security certificate.
    • Adding one more authentication factor may seem simple, but it requires extensive programming changes.
  • Physical authentication
    • Although this is outside the web domain, it is one of the most effective security measures.
    • Examples include fingerprint recognition when turning on a computer or inserting a physical key.

What Is Authorization?

  • Authorization is the process of allowing access to a desired location or information.
  • It verifies that the action requested by a client is permitted for that client.

Authorization can be divided into two major types:

  • Granted authority
    • After a user is properly authenticated, authorities should be granted.
    • If persistent authorities are granted through registration or another process, they must be stored somewhere.
    • If a user can log in but cannot access the main page, there is an authorization problem.
  • Resource interception
    • User authorities alone do not provide proper security. Security must prevent users without permission from accessing resources in the first place.
    • Intercepting external requests so that only users with suitable authorities can access a resource is a core principle of web security and authorization.

Difference Between Authentication and Authorization

  • Authentication and authorization can sometimes be difficult to distinguish.
  • It is easier to understand if you think of authorization as granting specific permissions to an authenticated user after authentication.
  • For example, an ACL (Access Control List) can restrict accessible areas after authentication based on the user’s access level.