Every REST API request should be checked for authentication and authorization before being executed. REST APIs are implemented in the Java world using servlets and controllers. We want to ensure that the authorization and authentication are performed before the servlets and/or controllers are executed.

Filters provide this feature. Typically, we can execute filters before the API is executed. The following diagram shows a typical implementation approach:

Here are the important steps:

• The REST API request is executed by providing the URL, request data, and user credentials.
• The filter checks for authentication—is it a valid user? Typically, user ID/password combination, or a token are used as credentials. After that, the filter checks for authorization—does the user have the right permissions?
• The REST API request is executed.

The preceding approach would ensure authentication and authorization are always performed before executing the request.

Until now, we have discussed a generic approach for securing REST APIs. Let's now shift our attention towards Spring Security.