In the Authentication section, we showed how user-provided credentials (username/password) are compared with application-stored ones, and if they match, the user is authenticated.

To boost security, we can limit the user's access to application resources. This is where authorization comes into the picture—the question of who should access which application's resources.

Spring Security provides very comprehensive authorization features. We can categorize these features into these three authorization groups:

  • Web request (who can access which application URL?)
  • Method invoking (who can call a method?)
  • Domain object access (who can see which data?)

    For example, a customer should be able to see his own order and profile data, whereas an admin ...

Get Spring MVC: Designing Real-World Web Applications now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.