If you are developing a RESTful API (and who is not), then you need to use tokens to authorize the user. Of course, you can encrypt the user’s password on the client and transfer it each time to the server, to each of its protected resources, but there is a high probability that your traffic will be eavesdropped and the encryption algorithm will be hacked. And it’s simply not convenient to authorize each REST API resource. This can be used if you literally have a couple of APIs, and you don’t want to raise the whole system. You can also, of course, use someone else's amortization server, for example Google, or Okta - provides Authorization as a Service. Or raise Keycloak. Or you can use Spring Security, which easily and simply connects to Spring Boot. But to do this, you need to understand the life cycle of the SPring application and how the Request Filter works. If this topic is interesting to you, and you would like to take a closer look at this topic, namely, how to fully implement authorization and authentication on the REST API, dividing by roles (RBAC - Role Based Action Control), and save data in the Database, and not just in memory or in text, as in many Hello World lessons, then I invite you to immerse yourself in a Livecoding session with me, where we will implement all this. Link - https://youtu.be/m5FAo5Oa6ag
GO TO FULL VERSION