Inappropriate or non-existent use of authorization.

Authorization is the second of two core security concepts that is crucial in implementing and understanding application security. Authorization uses the information that was validated during authentication to determine if access should be granted to a particular resource. Built around the authorization model for the application, authorization partitions the application functionality and data, such that availability of these items can be controlled by matching the combination of privileges, functionality, and data with users. Our application's failure at this point of the audit indicates that the application's functionality isn't restricted by the user role. Imagine if you were running ...

Get Spring Security 3.1 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.