This section discusses authorization implementation strategies. Authorization is the process of granting access to resources according to a defined policy. Keep in mind that authentication is the process of verifying if a user or another system is who they claim they are, authorization deals with what a certain user can do.
Authorization mechanisms can be implemented in many ways depending on the specific requirements of an application. Some applications use a basic public/private approach (like the one we have used so far in this chapter) where the policy is as simple as checking if a user is authenticated in order to grant access to a certain UI component. Other applications may require multiple roles, each one with a different set of permissions. Moreover, a user may have multiple roles at the same time and those roles could...
