In the Authentication section, we showed how user-provided credentials (username/password) are compared with application-stored ones, and if they match, the user is authenticated.
To boost security, we can limit the user's access to application resources. This is where authorization comes into the picture—the question of who should access which application's resources.
Spring Security provides very comprehensive authorization features. We can categorize these features into these three authorization groups:
Web request (who can access which application URL?)
Method invoking (who can call a method?)
Domain object access (who can see which data?)
For example, a customer should be able to see his own order and profile data, whereas an admin should be able to see all the customers' orders plus the data that is not visible to any customer.
Since version 3.0 of Spring Security, Spring has added Spring EL expressions to its authorization features. Spring EL lets you convert complex authorization...