Once the user is validated in terms of who they claim to be, the next aspect, what the user has access to, needs to be ascertained. This process of making sure what the user is allowed to do within the application is called authorization.
In line with authentication architecture, as seen earlier, authorization also has a manager, AccessDecisionManager
. Spring Security has three built-in implementations for this: AffirmativeBased
, ConsensusBased
, and UnanimousBased
. AccessDecisionManager
works by delegating to a chain of AccessDecisionVoter
. Authorization-related Spring Security classes/interfaces are shown in the following diagram:
Figure 12: Spring Security Authorization classes/interfaces
In Spring Security, authorization to a secured resource is granted by invoking voters and then tallying the votes received. The three built-in implementations tally the votes received in different manners:
- AffirmativeBased: If at least one voter votes, the user is given access to the secured...