Authentication vs Authorization: Understanding the Difference in Spring Security

sonali kumari shahi — Wed, 03 Jun 2026 11:36:03 +0000

When I started learning Spring Security, I kept seeing two terms everywhere:

Authentication and Authorization

At first, they sounded almost the same to me.
But as I learned more, I realized they answer two completely different questions.
Understanding this difference is important because these concepts are at the heart of every secure application.
Let's break them down in the simplest way possible.

Authentication: Who Are You?

Authentication is the process of verifying a user's identity.
In simple words, the application asks: "Who are you?"

For example, when you log in using your username and password:

   Username: sonali
   Password: ********

The application checks whether these credentials are correct.
If they are correct, you are authenticated.

Think of it like entering a college campus.
The security guard checks your ID card to confirm that you are actually a student.
That's authentication.
✅ Identity Verified

Authorization: What Are You Allowed To Do?

After authentication, another question is asked: "What are you allowed to do?"
This is authorization.
Even if two users are logged in, they may not have the same permissions.

For example:

Admin can manage users
Employee can view data
Customer can access only their own account

Authorization decides what resources a user can access.

Using the same college example:
The security guard verified your identity at the gate.
But that doesn't mean you can enter every room on campus.
Some rooms may be restricted to staff members only.
That's authorization.
✅ Permission Check

How Spring Security Uses Them

Whenever a request enters a Spring Boot application:
Request
↓
Authentication
↓
Authorization
↓
Controller

First, Spring Security verifies the user.
Then it checks whether the user has permission to access the requested resource.
Only after both checks pass does the request reach the controller.

The Big Takeaway

Authentication and Authorization work together, but they solve different problems.

Authentication confirms your identity.
Authorization determines your permissions.

A simple way to remember:
Authentication = Who are you?
Authorization = What can you do?

Once I understood this difference, many Spring Security concepts became much easier to understand. I hope this explanation helps you too.

What Happens Before Your API Receives a Request in Spring Security?

sonali kumari shahi — Tue, 02 Jun 2026 11:22:32 +0000

When I first added Spring Security to my Spring Boot project, something surprising happened.
All my APIs were suddenly protected, and I could no longer access them without authentication.
At first, it felt like magic. 😄

But then I wondered:

What actually happens when a request enters a Spring Security application?

In this blog, we'll follow the complete journey of a request and understand how Spring Security protects our application behind the scenes.

A Request's Journey Through Spring Security

Let's say a user sends a request to access:

GET /api/customers

You might think the request goes directly to the controller.
But that's not true.
Before your controller sees the request, Spring Security steps in and starts asking a few important questions.

First Question: "Who Are You?"

The request arrives at Spring Security's filter chain.

At this point, Spring Security tries to identify the user.

It looks for credentials such as:

Username and Password
JWT Token
OAuth Credentials

If no credentials are found, Spring Security stops the request right there.

The controller never gets a chance to handle it.

Second Question: "Are These Credentials Valid?"

If credentials are present, Spring Security verifies them.

For example:

Is the username correct?
Does the password match?
Is the JWT token valid and not expired?

If the verification fails, the request is rejected.

Only valid users can move to the next stage.

Third Question: "What Are You Allowed To Access?"

Now Spring Security knows who the user is.

But being authenticated doesn't automatically mean you can access everything.

Suppose a user tries to access an admin endpoint:

/admin/users

Spring Security checks the user's roles and permissions.

If the user has the required authority, the request moves forward.

Otherwise, access is denied.

Finally, The Request Reaches The Controller

Only after passing all security checks does the request reach your controller.

Request
↓
Spring Security
↓
Authentication
↓
Authorization
↓
Controller

At this point, your business logic starts executing and a response is generated.

The Big Takeaway

One thing that surprised me while learning Spring Security was that the controller is actually the last stop in the journey.

Before a request reaches your API, Spring Security has already:

✅ Identified the user

✅ Verified the credentials

✅ Checked permissions

✅ Decided whether the request should be allowed

That's why Spring Security is such an important part of modern backend applications.

It acts as a protective layer between users and your business logic, making sure only the right people can access the right resources.

What Spring Security topic would you like to see next?

🔹 Authentication vs Authorization
🔹 Security Filter Chain
🔹 JWT Authentication
🔹 UserDetailsService

Let me know in the comments! 🚀

DEV Community: sonali kumari shahi

Authentication vs Authorization: Understanding the Difference in Spring Security

Authentication: Who Are You?

Authorization: What Are You Allowed To Do?

How Spring Security Uses Them

The Big Takeaway

What Happens Before Your API Receives a Request in Spring Security?

What actually happens when a request enters a Spring Security application?

A Request's Journey Through Spring Security

The Big Takeaway