Spring Security Interview Questions

1) What is spring security?

 Spring security is difference module of spring framework that focus on providing
authentication and authorizations method in java applications.
 Its also takes care of most of the common security vulnerabilities such as CSRF
attcks.
 To use spring security in web applications , we can get the started with the
simple annotations @EnbleWebSecurity
2) Features of Spring Security?
 Support authentication and authorizations in a flexible and compressive manner.
 Java Authentication And authorizations Services (JAAS) is used for authentication
purposes.
 Allow single sign-on so that users can access multiple applications with just one
account (username and password)

3) What is spring authentication and authorizations?

 Authentication: Verifying the identifying of user, using the credentials provided

when accessing certain restricted resources.
 An example is logging into website with a username and password.
 Authorization: This ensures that user can only access the part of a resources that
they are authorized to access.
 An Example is role is assigned to login user like ADMIN,CUSTOMER, GUEST.

4) What do you mean by Basic authentication?

  We need a username and password using the HTTP(Authorization)
header to enables us to access the resource.
 Username and password are encoded using bas64 encoding (not
encryption) in basic authentication.
 The encoding is not secured since it can be easily decoded.
 Syntax:
Value = username: password
Encoded value=base64(value)
Authorization value = Basic <Encoded value>
5) Explain spring security context and spring security Holder?
 SecurityContext: In this, information/ data about the currently authenticated
user (also known as principle) is stored.
 SecurityContextHolder: Retrieving the currently authenticated principle is easiest
via a static call to the seurityContextHolder.
 As Helper class It provide access to the seurityContext.

6) Explain spring security OAuth2.?

 A simple authorization framework, OAuth 2.0, permits client applications to
access protected resources via an authorization server.
 Using it client application (third party) can gain limited access to an http service
on behalf of the resource owner or on its behalf.
 Resource Owner/User, Client, Authorization and resource server are involved in
this concept.

7) What is method security and why do we need it?

 The role of the user is used to determine which user is authorized to access the
resource.
 A security measure applied to a method prevent unauthorized users and only
allow authenticate users.
 To prevent unauthorized users from performing activities beyond their privileges
and roles.
 Method level security is implemented using AOP.

8) What do you mean by Hashing in spring security?

 Plain text password not good to store in your db.
 Store encrypted password in a DB. This is called password hashing.
 Encoding a String using the hashing algorithm. Like MD4, MD, SHA, SHA256.
9) What is password Encoder?
 Password encoding is provided by Spring Security using the PasswordEncoder
interface. This interface define two method:
 encode() : it converts plain password into encoded form.
 Matches(): It compares an encoded password from the database with a plain
password that’s been encoded using the same salting and hashing aalgorithm as
the encoded password.

10) Name Security annotations that are allowed to user SpEL?

 @preAuthorize, @preFilter, @postAuthorize and @postfilter
 These provide expression based access control .
 In spring security, @preAuthorize is one of the most powerful annotation that
allow you to use SpEL.
 But theold @secured annotation cannot use it, for example you cannot write
@secured(“hasRole(‘ROLEADMIN’)”), but you can do
@preAuthorize(“hasRole(‘ROLEADMIN’)”).

11) What is Authentication manager in Spring Security?

 It says “how Authentication will happen”
 Authentication manager contains reference to all the Authentication Providers.
 Authentication mangers can perform one of three actions in their authenticate()
method: if valid return authenticated = true, invalid throw
AuthenticationException, unable to find valid input returns null .

12) What are some predefined filters used by Spring security?

 The spring security filter chain is very complex and flexible chain of filters..
 SecurityContextPersistencefilter: this filter restore authenticationg from the
JSESSIONID cookie.
 UserNamePasswordAuthenticationFilter: This filter perform authentication.

13) Can you add custom filter in spring security filter chain?
 Yes, you can add or replace individual filter with own logic in spring security
filter chai.
  You may need to implement new functionality depending upon your project
requirement and this can be done by creating new filter to use in the chain.
 We do use filter type like OncePerRequestFilter and register with security
configuration.

14) How to implement custom filter in SS?

 WE can implement a custom filter in spring security by using the
org.springframework.web.filter.Genericfilterbean class.
 The Genericfilterbean is a simple javax.servlet.filter implementation which is
spring aware. You can override doFilter() method to implement your own logic.

15) What does @ and # is used for spring expression language?

 The @ symbol in Spring EL used reference a spring bean.
 The # symbol in spring EL allow you to reference a parameter on the method you
are securing.

16) What do you mean by session management in Spring security?

 Session management relates to securing and managing multiple users sessions
again their request.
 To control HTTP sessions, Spring security uses the following options
Sessionmanagmentfilter and SessionAuthenticationStrategy.
 SessionAuthenticationStrategy take care of session timeout, sessionid etc.

17) Explain salting and its uses?

 Spring security automatically applies salting since version 3.1.
 Salting is the process of combining random data with a password before
password hashing.
 Salt improves hashing by increasing its uniqueness and complexity.
 Hashed password and then store in DB, along with salt.

18) Which servlet filter, intercepts all the incoming request sent to an application?
 Filter implementation named Delegatingfilterproxy that allow bridging between
the servlet containers life cycle and spring ApplicationContext.
 The servlet container allow registering filters using its own standard.
 Delegatingfilterproxy can be registered via standard servlet container
mechanism.
19) To Secured which layer @EnableGlobalMethodSecurity annotation is used?
 We can use @EnableGlobalMethodSecurity annotation to secure your service
layer.
 It provides supports for JSR-250 annotation security as well ass the framework
original @secured annotation.
 From 3.0 you can also make use of new expression-based annotations.

20) How to implement spring boot + Basic Authentication?

 Add Spring-Boot-starter-security maven dependency in pom.xml
 Configure username and password in application.yml / properties.
