Spring Security Interview Questions

 

1. What is Spring Security?

Answer: Spring Security is a framework that provides comprehensive security services for Java applications. It handles authentication (verifying who you are) and authorization (verifying what you are allowed to do) and is often used to secure web applications, REST APIs, and microservices.

2. What is the difference between authentication and authorization?

Answer:

  • Authentication: The process of verifying the identity of a user or system. For example, logging in with a username and password.
  • Authorization: The process of determining whether a user or system has permission to access a resource or perform an action.

3. How does Spring Security handle authentication?

Answer: Spring Security handles authentication by using the AuthenticationManager to authenticate a user based on credentials provided (e.g., username and password). It then creates an Authentication object which is stored in the SecurityContext.

4. What is the role of SecurityContextHolder?

Answer: SecurityContextHolder is a class that holds the SecurityContext associated with the current thread of execution. The SecurityContext contains details of the authenticated user, such as their Authentication object.

5. Explain how Spring Security handles session management.

Answer: Spring Security manages sessions through its SessionManagementConfigurer. It can configure session creation policies, such as stateless sessions (no sessions created) or stateful sessions. It also provides mechanisms to handle session fixation, concurrent session control, and session invalidation.

6. What is the purpose of WebSecurityConfigurerAdapter?

Answer: WebSecurityConfigurerAdapter is a base class used to configure Spring Security. By extending this class, developers can override methods to customize security settings, such as defining authentication mechanisms, specifying URL access rules, and configuring security filters.

7. How do you configure method-level security in Spring Security?

Answer: Method-level security is configured using annotations such as @PreAuthorize, @Secured, or @RolesAllowed on methods in your service classes. You also need to enable method security by adding @EnableGlobalMethodSecurity to a configuration class.

8. What is a UserDetailsService and how is it used?

Answer: UserDetailsService is an interface used to load user-specific data. It provides a method loadUserByUsername(String username) that retrieves user details from a data source. Spring Security uses it to authenticate users and populate the Authentication object.

9. What is the difference between UsernamePasswordAuthenticationFilter and BasicAuthenticationFilter?

Answer:

  • UsernamePasswordAuthenticationFilter: Handles authentication for username and password-based login, usually through form submissions.
  • BasicAuthenticationFilter: Handles HTTP Basic authentication, where credentials are sent in the Authorization header in base64-encoded format.

10. What is OAuth2 and how does Spring Security support it?

Answer: OAuth2 is an authorization framework that allows third-party applications to access user resources without exposing their credentials. Spring Security provides extensive support for OAuth2, including OAuth2 login, token-based authentication, and client credentials flow.

11. Explain the concept of CSRF protection in Spring Security.

Answer: CSRF (Cross-Site Request Forgery) protection prevents unauthorized commands being transmitted from a user that the web application trusts. Spring Security includes CSRF protection by default, adding a CSRF token to forms and verifying it on form submissions.

12. What is a SecurityFilterChain?

Answer: SecurityFilterChain is a component of Spring Security that defines a chain of filters used to process incoming HTTP requests. Each filter in the chain performs a specific security-related task, such as authentication, authorization, or logging.

13. How do you implement custom authentication in Spring Security?

Answer: To implement custom authentication, you can create a custom AuthenticationProvider that contains your authentication logic. Register this custom provider in the AuthenticationManager to handle the authentication process.

14. What are some common security vulnerabilities that Spring Security addresses?

Answer: Spring Security helps protect against common security vulnerabilities such as:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Session Fixation
  • Clickjacking
  • Insecure Direct Object References

15. Explain the @PreAuthorize annotation.

Answer: The @PreAuthorize annotation is used to specify authorization rules at the method level. It allows you to use Spring Expression Language (SpEL) to define complex access control expressions based on user roles or other conditions.

Comments

Post a Comment

Popular posts from this blog

Transform values with a stream

The goal is to transform an array of numbers into a comma-delimited string using functional programming. The code snippet you provided has a minor issue: String.join(",", strings[0]) is incorrect because it tries to join a single element ( strings[0] ) rather than all elements in the strings array. Here's the corrected code for the transformValues method: import java.util.Arrays; class Answer {     // Change these boolean values to control whether you see      // the expected answer and/or hints.     static boolean showExpectedResult = true;     static boolean showHints = true;     // Transform an array of numbers into a comma-delimited list     // using functional programming.     static String transformValues(int[] numbers) {         // Convert the int array to a stream of integers         // Map each integer to its String representation         // ...
Read more

Collections Framework

 The Java Collections Framework provides a comprehensive set of interfaces, implementations, and algorithms to work with collections of objects in Java. It offers a unified architecture for representing and manipulating collections, making it easier to work with data structures in Java programs. The Collections Framework is a fundamental part of Java programming and is widely used in various applications ranging from simple data manipulation tasks to complex algorithms and data processing pipelines.  Key components of the Collections Framework: Interfaces Collection : The root interface of the Collections Framework hierarchy. Represents a group of objects, known as elements. Subinterfaces include List , Set , and Queue . List : Represents an ordered collection of elements where duplicate elements are allowed. Allows elements to be accessed and inserted by index. Implementations include ArrayList , LinkedList , and Vector . Set : Represents a collection of unique elements ...
Read more

Inspect a collection

Calculate the cart total  import java.util.List; import java.util.concurrent.atomic.AtomicReference; public class Main {     public static void main(String[] args) {         List<Item> items = List.of(             new Item("Item1", 10.0f, 2),             new Item("Item2", 5.0f, 4),             new Item("Item3", 20.0f, 1)         );         float total = getCartTotal(items);         System.out.println("Cart Total: " + total);  // Output: Cart Total: 60.0     }     static float getCartTotal(List<Item> items) {         AtomicReference<Float> total = new AtomicReference<>(0.0f);         items.forEach(item -> {             total.updateAndGet(v -> v + item.getQuantity() * item.getPrice())...
Read more