This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.1.11!

Authorization

The advanced authorization capabilities within Spring Security represent one of the most compelling reasons for its popularity. Irrespective of how you choose to authenticate (whether using a Spring Security-provided mechanism and provider or integrating with a container or other non-Spring Security authentication authority), the authorization services can be used within your application in a consistent and simple way.

In this part, we explore the different AbstractSecurityInterceptor implementations, which were introduced in Part I. We then move on to explore how to fine-tune authorization through the use of domain access control lists.

Section Summary

Authorization Architecture
Authorize HTTP Requests
Authorize HTTP Requests with FilterSecurityInterceptor
Expression-Based Access Control
Secure Object Implementations
Method Security
Domain Object Security ACLs
Authorization Events