Authorization
The corollary to authentication is authorization. These two concepts are often handled together, but they refer to two different requirements for securing web services. Authentication validates the identity of users, whereas authorization manages which operations users are entitled to perform. Authorization often relies on associating users with roles and controlling which user roles are allowed to perform specific operations.
Authorization with Spring
There are two approaches to manage authorization with Spring:
URL mapping
Resource annotations
The following sections provide illustrations of these two approaches.
URL mapping
Expanding on our previous example, we can modify SecurityConfig to declare fine-grain URL mappings as follows:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.GET, "/bookings/**").hasRole("ADMIN...
