[java brains] Spring security basic
Spring Security
Application level security not App Server security is already taken care of.
Using Spring Security is hiring 24h guard for my application
- Login and logout functionality
- allow / block access to urls to logged in users
- allow / block access to urls to logged in users and with certain roles
5 Core Concepts in Spring Security
Authentication
Knowledge Based Authentication = giving ID and Password , Easy to steal becuase they are just strings.
Possesion Based Authentication = Phone / Text messages , Key cards and badges , Access token device
Mutil Factor Authentication = KBA + PBA
Authorization
Can this user do what they want to do? basically yes or no question.
Principal
Currnetly logged in user(account) , you get your principal so you don't need to login every request.
one user can have mutiple IDs but there is usually just one logged-in user (like google)
Granted Authority
how does authorization happen? specifiy before hands , bunch of permission per User
Roles
Group of authorites.
Ref
What is Spring Security really all about? Java Brains Brain Bytes - YouTube
Five Spring Security Concepts - Authentication vs authorization - Java Brains Brain Bytes - YouTube