Security is one of the most important elements of an application. The word "security" covers two concepts:
Authentication is the verification's process of a
principal's
identity; aprincipal
is typically a user. Aprincipal
in order to be authenticated provides acredential
that is the password.Authorization, on the other hand, is the process of granting authorities, which are usually
roles
, to an authenticated user.
Once a user is authenticated and has roles, he or she can work on the application and perform the actions permitted by an access control list, which according to the user's roles allows certain operations.
Before Spring Security, the rules of who can do what were usually implemented using custom code and an in-house framework, or using JAAS. Usually, the first type of implementation was a consequence of the second type's difficulty. Unfortunately, though custom-type security fits its purposes, it lacks in its main aim. This is because it's safer to employ...