JavaConference50min
Authorization in Spring Security: permissions, roles and beyond
This session explains how to design robust, multi-phase authorization in Spring Boot using Spring Security. Through live coding, attendees learn key concepts—login data handling, policy decision and enforcement, and implementation strategies—while exploring access control patterns, mechanisms, and trade-offs for building secure, well-architected applications.
Daniel Garnier-MoirouxSpring
When creating Spring Boot apps, Spring Security is the go-to choice for all your security use-cases. It offers protections against exploits, authentication (who is the user?) and authorization (are they allowed to do X?) capabilities. Basic authorization features, such as hasRole(...), are easy to implement, but things quickly become complicated when you have more advanced use-cases.
Many operations must be architected correctly to provide secure and robust authorization, in multiple phases. During the initial login phase, the relevant information about the user is extracted, transformed and stored, for example user data from OpenID claims. Then, for authorization, “policy decision” and “policy enforcement” are defined within the context of an operation: where are the authorization decisions made? Lastly, strategies are implemented in code to produce those authorization decisions.
Through live-coded examples, you will build a solid, foundational understanding for all your authorization architecture. You will get an overview of all the access control patterns you can apply with Spring Security. And you will get practical advice on different authorization mechanisms available, and their tradeoffs.
Many operations must be architected correctly to provide secure and robust authorization, in multiple phases. During the initial login phase, the relevant information about the user is extracted, transformed and stored, for example user data from OpenID claims. Then, for authorization, “policy decision” and “policy enforcement” are defined within the context of an operation: where are the authorization decisions made? Lastly, strategies are implemented in code to produce those authorization decisions.
Through live-coded examples, you will build a solid, foundational understanding for all your authorization architecture. You will get an overview of all the access control patterns you can apply with Spring Security. And you will get practical advice on different authorization mechanisms available, and their tradeoffs.
comments.speakerNotEnabledComments