spring security – authentication and authorization in detail
- Basics of spring security
- What is spring security?
- What spring security can do?
- 5 core concepts of spring security and their detailed breakdown.
Definition of Spring Security :
The proper definition of spring security is:
spring security is an application level security framework that provides ways to to apply application level security to the application.
Let’s understand spring security with a real life example
We develop applications or APIs and leave it open for users but we need to make sure that which user can access what feature or what part of the application.
Similarly, spring security is just like hiring a security guard.
For instance a security guard safeguards a building and allows only the right people to enter and we see them ask two main questions from anyone who wants to enter the building, who are you and what you want?
Likewise Spring security works in similar ways as it lies between the application and the user as a safeguarding agent. It examines the incoming request simultaneously and determines who the user is and what the user wants?
Spring Security provides:
- Login/Logout functionality
- Allow/Block access to URLs to logged in users
- Allow/Block access to URLs to logged in users AND with certain roles
What spring security can do?
- User name/Password Authentication
- Single sign-on stuff like SSO/LDAP/Okta
- Application Level Authorization
- Intra App Authorization like Oauth
- Microservice Security (using tokens, JWT)
- Method Level Security
5 Core concepts of spring security
Here we will see 5 core concepts of spring security which you are always going to encounter whenever you start learning about spring security.
The first two terms which are authentication and authorization, they somewhat serve as the first step and second step respectively in spring security, so first lets know the difference between both and tackle these two terms together.
Imagine spring security as being the watchman or security guard in front of your web application who stops every request from going in.
The questions asked by that watchman, who are you and what you want, it is our job to answer these questions if we are requesting something from your web application.
You answer the first question “who are you” by telling your identity but that’s not enough, here you also have to prove it. Prove that it is you and not someone else. For that you have to provide some ID or anything which only you can provide and an impersonator cannot.
The second question doesn’t require any proof as you will be getting what you will be asking for so no point proving the same.
authentication is the answer to the first question “who you are?”.
This type of authentication is known as Knowledge Based Authentication.
This knowledge can be:
- PIN Code
- Answer to a secret/personal question.
This is the security guard examining what you want and then deciding if you are allowed to do that or not. In other words, it’s answering the question, can this user do what they are trying to do. It’s a yes/no answer for a given operation. The user might be allowed to do one particular operation but not the other operation.
Example : Retail Store
Every employee can login to the application and use it. They can authenticate with their user id and password but once they have authenticated, what each person can do in the application really depends on who that user is.
For example, a store clerk can probably access point of sale functionality or check if something is in stock.
Similarly a department manager can probably see how his particular department is doing.
A store manager can see everything across the store in all departments.
So every time a user requests something, the application needs to arrive at a binary decision of yes or no, if the user is allowed to do so or not.
So this decision making or taking a yes or no decision depending on who the user is and what they are trying to do is called authorization.
Difference between authentication and authorization :
- Authorization is the second stage of security whereas the first stage is Authentication.
- Authentication answers – Who is this user? whereas, Authorization answers – Are they allowed to do this?
- To reach authorization, you need authentication first. You have to make sure who the user is in order to decide what role the user is allowed to do or not allowed to do.
This is how authentication and authorization works in spring security.
3. Principal :
Principal is the person you have identified through the process of authentication. In other words, a principal is the currently logged in user.
It is that unique information or account in the system that you tie to a specific person in the context of an application. Once you authenticate with any application, say by giving your user id and password, the application establishes a principal and it remembers it.
This is the reason why you authenticate with an application only once and you do not have to enter your credentials for every request you make or every page reload you do. This will get very annoying if we have to provide the credentials again and again. So the application remembers the currently logged-in user as the principal.
4. Granted Authority :
A user is trying to do something, so to allow or authorize them to do it only if the user has been granted authority to do so.
We can configure these things in spring security and define what permissions are granted to whom. Any operation that hasn’t been specified explicitly as permitted for a given user beforehand , the default answer to that will always be a NO.
Authority is really a fine grained process. You have to assign particular permissions and authorities to particular people which can get tedious. This is where the concept of role came in.
To curb the above tedious task, the fifth core concept of spring security came in the picture – Role.
5. Role :
Role is pretty much like a group of authorities that are usually assigned together. So here you create something like role_store_clerk and assign all the authorities that the store clerk should have so when a store hires a clerk they assign them to this role and automatically they get all the authorities for that role. Same way we do it for other people. This makes everything very easy as well as consistent.
Roles are more coarse-grained permissions as compared to the fine-grained permissions that authorities have.
Read Spring Security Documentation for more knowledge.
To read more tech blogs, visit Knoldus Blogs.