One of the fundamental ways to secure a resource is to make sure that the caller is who they claim to be. This process of checking credentials and making sure that they are genuine is called authentication.

The following diagram shows the fundamental process Spring Security uses to address this core security requirement. The figure is generic and can be used to explain all the various authentication methods that the framework supports:

As detailed in Chapter 1, Overview of Spring 5 and Spring Security 5 (in the Working of Spring Security section), Spring Security has a series of servlet filters (a filter chain). When a request reaches the server, it is intercepted by this series of filters (Step 1 in the preceding diagram).

In the reactive world (with the new Spring WebFlux web application framework), filters are ...

Let's gets our hands dirty by doing some coding. We will start off with the most common authentication mechanisms and then get into other authentication mechanisms that can be used with Spring Security.

Apart from the actual authentication mechanism, many aspects of the application are quite similar. In this section, we will set up the example and then cover the specific authentication mechanism in detail.

We will be using the default Spring Security DB schema against which we will authenticate the user. We will create a fully fledged Spring MVC web application, with each component being created from scratch. Creating a sample Spring Security application using Spring MVC with the...

Once the user is validated in terms of who they claim to be, the next aspect, what the user has access to, needs to be ascertained. This process of making sure what the user is allowed to do within the application is called authorization.

In line with authentication architecture, as seen earlier, authorization also has a manager, AccessDecisionManager. Spring Security has three built-in implementations for this: AffirmativeBased, ConsensusBased, and UnanimousBased. AccessDecisionManager works by delegating to a chain of AccessDecisionVoter. Authorization-related Spring Security classes/interfaces are shown in the following diagram:

In Spring Security, authorization to a secured resource is granted by invoking voters and then tallying the votes received. The three built-in implementations...

Spring Security has a number of capabilities apart from core security features, authentication and authorization. Some of the most important ones are listed here. In Chapter 7, Spring Security Add-Ons, we will go through each of these in more detail using hands-on coding. We will build on the example that we have created in this chapter and explain each of these very important Spring Security capabilities:

• Remember-me authentication: This is also known as persistent-login, and it allows websites to remember a user's identity in between multiple sessions. Spring Security provides a couple of implementations (hashed-token-based and persistent-token-based) that make this easy.
• Cross Site Request Forgery (CSRF): This is a very common security exploit employed by hackers to do unethical operations, whereby unauthorized commands are sent...

This chapter aimed at introducing two important security concepts, namely authentication and authorization, and how they are supported by Spring Security.

We started by explaining these concepts in detail and then dived into them with the help of a sample application. We have used Spring MVC application as a base to help you understand Spring Security concepts. Chapter 4, Authentication Using CAS and JAAS, is aimed at explaining reactive web application framework, Spring WebFlux.

In the next chapter, we will go through other authentication mechanisms supported by Spring Security by extending the example that we have built in this chapter.