Module 1: Authentication vs Authorization (ID vs Clearance)

📚 Module 1: AuthN vs AuthZ

Focus: Moving from “Open Access” to “Locked Doors.”

When you open your app to the internet, you don’t want just anyone to delete your database. We use Spring Security to manage who can enter.

---

🏗️ Step 1: Authentication (The “ID Card”)

Authentication (AuthN) is the process of proving who you are.

🧩 The Analogy: The Airport Security

• You show your Passport (Username and Password).
• The officer checks if you are the person in the photo.
• Goal: To answer the question: “Who are you?”

---

🏗️ Step 2: Authorization (The “Security Clearance”)

Authorization (AuthZ) is the process of deciding what you are allowed to do.

🧩 The Analogy: The Boarding Pass

• Just because you are in the airport doesn’t mean you can get on any plane.
• Your Boarding Pass says you are allowed in Seat 12A but NOT the Cockpit.
• Goal: To answer the question: “What can you do?”

---

🏗️ Step 3: Role-Based Access (RBAC)

In professional apps, we group users into Roles (like “ADMIN” or “USER”).

• ADMIN: Can see everything and delete anything.
• USER: Can only see their own profile.

In Code:

@RestController
public class SecretController {

    @GetMapping("/admin/dashboard")
    @PreAuthorize("hasRole('ADMIN')") // ONLY Admins can see this!
    public String getDashboard() {
        return "Welcome, Boss!";
    }
}

---

🥅 Module 1 Review

1. Authentication: Proving your identity (Passport).
2. Authorization: Proving your permission (Boarding Pass).
3. Roles: Grouping permissions (Admin vs User).
4. @PreAuthorize: A label that checks a user’s role before they enter.

Slow Learner Note

Spring Security is the most “difficult” part of Spring Boot because it has a lot of hidden parts. Just remember: It is a chain of security guards standing at your front door.