What is Security

  Authentication:

It is the process to letting and application know who we are

By using our userId and Password, this process is called authentication

Authorization:

once user logs in or authenticate, how does the application know how much access the user or another application has? that is where authorization jumps in and it uses roles to do authorization

Role:

Each role is mapped to certain URLs or Methods in the application, and the user with certain roles will have access to certain funcationality within the application and certain users will not have access to certain functionalitiy in the application 

There are diffrent ways of authentications in the HTTP or Web application world, starting from 

• Basic Authentication 
• Form based authentication
• Rest Api world we can implement 
• OAuthe Single Sign on whre we implement authentication and authorization for all application within our organization through single sign on.
• We can create our own custom login mechanism instead of using basic Form or Oauth we can create our own authentication and authorization process as well.

Confidentiality: 

This is where application ensuere that the data they are sharing is not vulnerable to hackers.

That is where encryption and decryption comes in.

The simplest way of encrypting and dycrypting is by using his HTTP.

Once the data is encrypted, the data that is exchanged, even if the hacker captures it, he will not be able to make sense out of it, because these application  the sender application will use a certain key a public key and sends that user details and than the application will use a private key which will decrypt those details

Even if a hacker gets the details in between he will not be able to do anything with those details, unless he has the private key

That is nothing but maintaing the confidentiality of the data being exchanged across application or from a user to the application 

Integrity: 

Integrity is where application can ensure that whatever data is being exchanged is really coming from the same user that is expecting or the application it is expecting and it is not changed in the process.

For example if this hacker capture the authentication details or any data if he put something else in that data and sends it to the banking application , the banking application should know that the data was not tweaked and the integrity is still maintained.

that is where signature comes in later on when we work with Oauth and JWT we will learn about authorization server and resource server.

when the authorization server creates a tocken and gives it back to the application that application will send that tocken to the resource server

How does the reseruce server ensure that this token is really produce by that authentication server by using signature , the authentication toke  will use a private key again and it will sign this token and only the application with the public key corresponding to the private key will be able to verify the signaure 

and if a hacker captures that token in beween if he tweaks it if changes the token when the token is received by the reseource server it wil calculate the signautre on that token the signature sent by the autorization server along with the token should match the signature that this resource server calculates if it doenst match it knows that somebody has hacked it with the integrity is not maintained anywhere.

so integrity is checken using signatures

CSRF and CORS: CSRF Cross Site Request Forging and CORS cross origin resource sharing

cross site request forgery will prevent an other website to submit data on our behalf and cross origin.

Resource sharing will allow application running, especially if you are developing your front end using Angulare or React back end using Java or Node for these application which are running on diffrent domains need to communicate with each other witout any  issues. that is where cors comes in

browsers will not allow cross origin resource sharing by default it should enable cors withing your server side applications