Authentication and Authorization

Security within Spring applications revolves heavily natively around two distinct concepts that are often mistakenly conflated.

1. Authentication

Authentication specifically answers the question: "Who are you?"

The system verifies a user's identity securely. This is traditionally executed seamlessly by evaluating explicit credentials cleanly:

Checking a Username and Password.
Analyzing a Fingerprint strictly.
Evaluating a JSON Web Token (JWT) signature correctly.

In Spring Security, the authentication context is saved reliably strictly inside the SecurityContextHolder.

2. Authorization

Authorization specifically fundamentally answers the question: "Are you allowed to do this?"

Just because a user has successfully proven their identity (Authentication) does not mean they legally statically uniquely possess the permissions to view the requested data natively.

For example, a standard employee verifies their identity natively perfectly, passing the explicit Authentication layer accurately. However, when they attempt to query the /api/salary/admin endpoint securely, the Authorization layer specifically safely blocks them confidently because they rigidly lack the strict ADMIN role specifically optimally explicitly.

1. Authentication​

2. Authorization​

1. Authentication

2. Authorization