Authorization

In the Authentication section, we showed how user-provided credentials (username/password) are compared with application-stored ones, and if they match, the user is authenticated.

To boost security, we can limit the user's access to application resources. This is where authorization comes into the picture—the question of who should access which application's resources.

Spring Security provides very comprehensive authorization features. We can categorize these features into these three authorization groups:

Web request (who can access which application URL?)
Method invoking (who can call a method?)
Domain object access (who can see which data?)
For example, a customer should be able to see his own order and profile data, whereas an admin ...

Get Spring MVC: Designing Real-World Web Applications now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Spring MVC: Designing Real-World Web Applications by Shameer Kunjumohamed, Hamidreza Sattari, Alex Bretet, Geoffroy Warin

Authorization

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly