7.4. Summary

When you started this chapter, you had an application which anybody could have added critical issues to and removed important issues from with no controls to prevent such destructive behavior. Over the course of the chapter you added measures to control access.

You started by adding the simplest of security constraints to the application, allowing the users to authenticate to the server side, although this doesn’t do you much good until you can control what the users do to the data. After you added the authorization constraints, you had fine-grained control over who could modify and delete the data. This is important, because before Spring Security was developed, the most common way to declaratively define security constraints this way at the method level was to use EJBs and container-managed security, which would probably have made this tight integration difficult to create.