Authentication answers "who are you?"; authorization answers "what are you allowed to do?" They run in that order — you can't decide access without first establishing identity — but they are distinct mechanisms with distinct failure codes, and conflating them is a classic interview tell.
Authentication (AuthN)
Establishing identity by verifying credentials: a username/password, a bearer token, a client certificate, an OAuth2 login. In Spring Security the result is an Authentication object holding the principal (usually a UserDetails), the credentials, and a flag that it's authenticated. The pieces:
AuthenticationManager(the entry point) delegates to one or moreAuthenticationProviders.- A provider verifies the credentials (e.g.
DaoAuthenticationProviderloads aUserDetailsviaUserDetailsServiceand checks the password with aPasswordEncoder). - On success the
Authenticationis stored in theSecurityContext.
Failure here is 401 Unauthorized — you haven't proven who you are.
Authorization (AuthZ)
Once identity is known, deciding whether that identity may perform this action, based on its authorities (roles/scopes). Two layers:
// URL-level, in the SecurityFilterChain
.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.requestMatchers("/orders/**").hasAuthority("SCOPE_orders")
.anyRequest().authenticated())// Method-level
@PreAuthorize("hasRole('ADMIN') and #userId == authentication.name")
public void deleteUser(String userId) { ... }Failure here is 403 Forbidden — we know who you are, you're just not permitted.
Roles vs authorities
A "role" is just an authority with the ROLE_ prefix. hasRole("ADMIN") is sugar for hasAuthority("ROLE_ADMIN"). Mixing these up (hasRole("ROLE_ADMIN") double-prefixes and silently never matches) is a common bug.