In this chapter, we started by learning the basics of securing web applications. We learned that filters are typically used to authenticate and authorize the request, before executing the REST API.

We discussed the basics of how Spring Security works. We learned that Spring Security uses a chain of security filters in order to perform authentication and authorization. We also looked at some of the filters.

UsernamePasswordAuthenticationFilter and BasicAuthenticationFilter are used for authentication. One of the key responsibilities of FilterSecurityInterceptor is to make authorization decisions.

We learned about the role that the authentication manager plays in authenticating your REST API request. The default implementation of the authentication manager, (ProviderManager), talks with multiple authentication providers (which typically use the UserDetailsService) in order to retrieve and authenticate user details.

We learned about the role that AccessDecisionManager plays in making authorization decisions. An AccessDecisionManager talks with multiple AccessDecisionVoter, which can give a positive or a negative vote. We looked at the different types of access decision managers—AffirmativeBased (at least one positive vote), ConsensusBased (go with the majority), and UnanimousBased (all votes should be positive).

We looked at the extension points that are provided by Spring Security to configure authentication and authorization with WebSecurityConfigurerAdapter.

We discussed OAuth and extended our REST API application to act as the OAuth Server and a resource server.

At the end of the chapter, we were introduced to JWT, and we extended our OAuth application to use JWT tokens.

This was a wonderful journey through a very important Spring framework—Spring Security.