Sometimes we have to deal with situations when we need to obtain information about an authenticated user after the authentication process is completed. We might, for example, need to know the username or the roles/authorities of the user that has accessed an endpoint.
So far we have only dealt with hardcoded users that were stored in memory. The latest applications often support the registration process and store user credentials with their associated roles/authorities permanently in a database.
In simple applications, authentication might be enough – as soon as a user authenticates (confirms their identity), they can access any part of the application. However, in some situations, not all authenticated users should be granted access to some app resources. Authorization is the process during which the system decides if an authenticated client has permission to access the requested resource. Authorization always happens after authentication.
Authentication is how we verify the identity of whoever is trying to access our application. A common way to authenticate users is by asking them to enter their login and password. If a user enters the correct data, the system assumes the identity is valid and grants access.
When developing a backend application, you must know how to store user information in the database in a secure manner. It doesn’t matter whether you are a freelancer or a multi-billion dollar corporation — you need to assume that somebody may one day break into your database. You are always exposed to the risks of a hacker attack from the outside or a data leak…
Access to some web pages, files, or other classified resources of a web application is often restricted to authorized users only. Spring Security is a module of the Spring framework that deals with authentication and authorization (or access control).