Once the user is validated in terms of who they claim to be, the next aspect, what the user has access to, needs to be ascertained. This process of making sure what the user is allowed to do within the application is called authorization.
In line with authentication architecture, as seen earlier, authorization also has a manager, AccessDecisionManager. Spring Security has three built-in implementations for this: AffirmativeBased, ConsensusBased, and UnanimousBased. AccessDecisionManager works by delegating to a chain of AccessDecisionVoter. Authorization-related Spring Security classes/interfaces are shown in the following diagram:
In Spring Security, authorization to a secured resource is granted by invoking voters and then tallying the votes received. The three built-in implementations...