I am learning Spring Security and can't understand what's the difference between authentication and principal. I do understand that the code below is not logically connected, but as far as I understand both authentication and principal gives us possibility to get the data from the currently logged user.
@PreFilter("filterObject.owner == authentication.name")
@PreAuthorize("hasRole('ADMIN') or principal.userId == #id")
Principal represents the logged in User. Spring's Authentication interface extends the Principal interface, so Authentication is a Principal.
Before the user has been authenticated, Authentication can represent the token for an authentication request.
After the user has been authenticated, it can provide extra information about the Principal e.g. through getAuthorities(..) you can get the authorities that the principal has been granted, after successful authentication.