Spring Security defines the notion of a principal, the currently logged-in user. When a user authenticates successfully, the principal is stored in Spring’s security context, which is thread-bound, thus making it available to the rest of our service.
Spring Security provides Authorization via Role-Based Access Control (RBAC). This means that a Principal has several Roles. Each resource (or operation) specifies which Roles a Principal must have to perform actions with proper authorization.