Access Control: Identification, Authentication, and Authorization

Unauthorized access to data and resources is one of the most significant and dangerous risks of the digital world. The OWASP Foundation, in their project about the Top 10 Application Security Risks – 2017, placed “Broken Authentication” as second, “Broken Access Control” as fifth.

Lately, we heard a lot about data breaches (which lead to unauthorized access), some of them happening to big companies like Facebook, which happened to have third parties exposing 540 million user records. And let’s not talk about password leaks, “unintentional” loading of user data without their consent or the Cambridge Analytica scandal.

As software engineers, we should always control who or what has access to resources. It’s our responsibility to build robust products with a high degree of security, including strong access control mechanisms.

Access control makes sure that only authenticated and authorized users can access resources. Sometimes there is a bit of confusion between access control and authorization, or between authentication and identification. Let’s clarify all of them and give some examples.


Identification happens when a user claims an identity. In the physical world, we could state our name. When I meet somebody for the first time, I introduce myself by saying “I’m Thomas”: that is me identifying myself.

In the digital world, instead, I would provide my username or email address, claiming the identity of my account, for example.

Identification is the first step of access control.


If I went to the airport to catch a flight and told the airport personnel “I’m Thomas”, for sure, they would ask me for some proof of my identity. That is the authentication process: verifying a claimed identity.

At the airport, I would prove my identity through my passport. When trying to get into my email account, I would provide my password to prove that I am who I’m claiming to be and that one is really my account. In case I had enabled a 2-factor authentication (and I should), I would also provide a second proof of my identity, for example, a code generated by a USB token or a dedicated app on my smartphone.

Verifying the user identity, i.e. authenticating them, is the second step of access control.


Once the airport personnel has authenticated my identity through my passport, that means they have proved my identity, but that doesn’t mean I can go wherever I want across the airport or catch whichever flight. Nope. I can only do what I have permissions for, i.e. what I’m authorized to do. Buying a ticket to Reykjavík grants me the right to fly to Iceland, as long as I identify myself as the owner of the ticket and prove my identity. (I know, I have simplified security airport procedures a lot, but it was for the sake of the example.)

If we consider the email account example again, after the authentication phase, the email provider will check for my permissions to figure out what I can or cannot do once got access to my email account. A necessary permission is the one granting me access to my, and only my, emails — not the ones from other email accounts. In a CMS application, I might have permissions to add new content, but not delete it. An administrator would have permissions to perform more operations than me.

Authorization is the third step of access control.


Access control systems grants access to resources only to users whose identity has been proved and having the required permissions. To accomplish that, we need to follow three steps:

    • Identification
    • Authentication
    • Authorization.

Access control is paramount for security and fatal for companies failing to design it and implement it correctly.

What about you? Which process do you follow to ensure correct and secure access control to your resources and services?

Highlights from HL7® FHIR® DevDays 2018 in Amsterdam

Welcome to the HL7 FHIR DevDays 2018 in Amsterdam

Last week I attended the HL7 FHIR DevDays 2018 in Amsterdam, the “most important and largest FHIR only event in the world” organised by Firely. It’s been awesome: a lot of interesting and inspiring sessions, exciting projects and a vibrant and friendly community.

FHIR (Fast Healthcare Interoperability Resources) is an HL7 standard for exchanging healthcare information electronically. I was much impressed by the fantastic community working on and with FHIR, everyone really committed to making a difference for people health with the support of technology.

Continue reading “Highlights from HL7® FHIR® DevDays 2018 in Amsterdam”

WordCamp Oslo 2018: “Security Is a Process, Not a Plugin” (Talk)

In 2000, the internationally renowned security technologist Bruce Schneier wrote: “Security is a process, not a product”. In the same essay, he wondered: “Will we ever learn?”. Apparently not.

How many times have you considered your WordPress application security only once completed? How many times have you installed a security plugin and thought it was enough? Securing a web application doesn’t mean installing a plugin just before deployment. Not at all.

I’m very passionate about security and I’d like to share my thoughts with you. My focus will be the security awareness related to web applications. Is WordPress secure? I will answer this question very clearly. And you’re not gonna like it!

Working on a WordCamp Website: Tips and Tricks

Last winter, I joined the team organising the WordCamp Torino 2017 as the lead for the website group. In this post, I’d like to write some tips and tricks for managing a WordCamp website, considering the challenges that we had to face.

A screenshot of the header of WordCamp Torino 2017 website, with logo and picture of Torino
The website for WordCamp Torino 2017. The logo has been realised by Carmen Tortorella.

The reference is the Web Presence section of the WordCamp Organizer Handbook.

Setting Up the Environment

The first thing to do when starting working on a WordCamp website is setting up a local environment. is part of the WordPress Meta Environment. You can choose to install either the whole Meta project or just the WordCamp website.

Here you can find some useful resources:

Continue reading “Working on a WordCamp Website: Tips and Tricks”

Securing a Spring Boot Application with Keycloak

Last Update: 3 March 2019

In this article, we’re going to secure a Spring Boot application using Keycloak.

Securing Spring Boot with Keycloak -

Before doing that, let’s briefly recall what we have done so far.

First, we talked about the main features of Keycloak used in this series and learned how to install and boot the Keycloak server.

Then, we set Keycloak with some basic configurations to use it for securing a web application (providing it with authentication and authorization).

In this article, we’re going to learn how to:

    1. Create a client in Keycloak;
    2. Set up the Spring Boot application;
    3. Define the application resources;
    4. Add access policies based on user roles.

You can check out the full source code of the demo project we’re going to build on GitHub.

Let’s get started! Continue reading “Securing a Spring Boot Application with Keycloak”

My First 2 Years as WordPress Contributor

Exactly two years ago, at this same time, I was coming home from Milan after attending the first Italian WordPress Contributor Day. I didn’t know then what it would have meant to me, but it was the beginning of something awesome.

I started using WordPress as a CMS in 2009, but it was just in 2015, in Milan, that I found out the Community and the several opportunities to contribute to this successful open source project. Have a look at the Make area to read more about the different teams working on WordPress.

Contributor Day for WordCamp Torino 2017 - Thomas Vitale is presenting
Contributor Day Torino 2017 – Photo by Gianni Vascellari

Continue reading “My First 2 Years as WordPress Contributor”

Keycloak Basic Configuration for Authentication and Authorization

Last Update: 20 January 2019

In the previous article, we got to know Keycloak, an open source project for identity and access management developed by the RedHat Community. We went through how to install it, boot it and how to access the Keycloak Admin Console for the first time.

Continuing from where we left, in this new article I’d like to talk about how to configure Keycloak so that we can later use it for managing authentication and authorization for web applications and services. We’ll learn how to create a new realm, define roles and add users.

Throughout this series, we’re going to see more features and details about Keycloak, but I suggest you check the helpful and detailed official documentation for any doubt or curiosity.

1. Access Control, Authentication and Authorization

Managing authentication and authorization is an essential task in every good-designed web application or service. Keycloak makes it very easy and practical, letting us focus on the application business logic rather than on the implementation of security features.

Before going on, it is worth briefly recalling the definition of some fundamental security properties (from NIST glossary):

  • Access Control: “The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances)”.
  • Authentication: “Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system”.
  • Authorization: “Access privileges granted to a user, program, or process or the act of granting those privileges”.

A typical error is considering authorization and access control as synonyms when the second one is included in the first one. If you are interested in exploring this difference, there’s an interesting article by ICANN about it. Continue reading “Keycloak Basic Configuration for Authentication and Authorization”

Introducing Keycloak for Identity and Access Management

Last Update: 20 January 2019

Lately, I’ve been working with Keycloak, so I decided to better delve into it and write about it.

This article is the first of a series where I’d like to introduce Keycloak as a solution to manage authentication and authorization, how to install it and which are the fundamental concepts and configurations.

Then I’d like to explain how to use it to secure Spring Boot, Spring Security and AngularJS applications and services, analyse the implementation when using a relational database to store users and finally how to manage users from Java thanks to the Admin REST API.

A preview of the Keycloak official website
Keycloak Website – Open Source Identity and Access Management

1. What is Keycloak?

Keycloak is an open source project developed and maintained by the RedHat Community.

“Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.”

It offers a broad set of features, like SSO, authentication and authorization, social login, multifactor authentication and centralised user management. I suggest you check the official documentation to get all the details.

Throughout this series we’ll make use of the following features:

  • Admin Console to configure the Keycloak server and create realms, roles, users and clients;
  • Single Sign-On (SSO) using the Open ID Connect (OIDC) authentication and authorization protocol;
  • Client Adapters to integrate Spring Boot, Spring Security and AngularJS with Keycloak;
  • Admin REST API for user management.

Continue reading “Introducing Keycloak for Identity and Access Management”