Sessions

Authorization in Spring Security: permissions, roles and beyond

Daniel Garnier-Moiroux - Broadcom

When creating Spring Boot apps, Spring Security is the go-to choice for all your security use-cases. It offers protections against exploits, authentication (who is the user?) and authorization (are they allowed to do X?) capabilities. Basic authorization features, such as hasRole(...), are easy to implement, but things quickly become complicated when you have more advanced use-cases.

Many operations must be architected correctly to provide secure and robust authorization, in multiple phases. During the initial login phase, the relevant information about the user is extracted, transformed and stored, for example user data from OpenID claims. Then, for authorization, “policy decision” and “policy enforcement” are defined within the context of an operation: where are the authorization decisions made? Lastly, strategies are implemented in code to produce those authorization decisions.

This talk is the follow-up of Spring Security Architecture Principles talk at Spring I/O 2024 (https://www.youtube.com/watch?v=HyoLl3VcRFY). Through live-coded examples, you will build a solid, foundational understanding for all your authorization architecture. You will get an overview of all the access control patterns you can apply with Spring Security. And you will get practical advice on different authorization mechanisms available, and their tradeoffs.