Having established how users will authenticate, you also need to configure your application’s authorization rules.
The advanced authorization capabilities within Spring Security represent one of the most compelling reasons for its popularity. Irrespective of how you choose to authenticate (whether using a Spring Security-provided mechanism and provider or integrating with a container or other non-Spring Security authentication authority), the authorization services can be used within your application in a consistent and simple way.
You should consider attaching authorization rules to request URIs and methods to begin. In either case, you can listen and react to authorization events that each authorization check publishes. Below there is also wealth of detail about how Spring Security authorization works and how, having established a basic model, it can be fine-tuned.