Spring Security Interview Questions (2020) | CodeUsingJava








Spring Security Interview Questions


In this post we will look at Spring Security Interview questions. Examples are provided with explanation.
Spring Security Interview Questions

What is Spring Security?

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements


What are the features of using Spring Security?

  • Comprehensive and extensible support for both Authentication and Authorization.
  • Protection against attacks like session fixation, clickjacking, cross site request forgery, etc.
  • Servlet API integration.
  • Optional integration with Spring Web MVC.

What is so special about FilterChainProxy?

  • It works as starting point for all security specific logic.
  • If we are not sure about debugging point while troubleshooting an issue, we can start from here.
  • It applies HTTPFirewall.
  • It performs security logic which is global to the application.
  • Multiple SecurityFilterChain can be registered to it. In this context, it also takes the decision as to which SecurityFilterChain a request should go.
  • FilterChainProxy

Define the inner beans in Spring?

Inner Beans in the Spring means beans that are defined within the scope of another bean whenever a bean is used for only one particular property. It's advise to declare it as an inner bean.It supported in setter injection and constructor injection.

What do you mean by public key feature?

PKI refers to a communal ecosystem of roles, responsibilities, policies, and events for issuing, managing, and revoking digital certificates. The PKI ecosystem ensures the safe and private swap of responsive electronic information between known and unknown parties over untrusted networks.

What is DelegatingFilterProxy in Spring Security?

DelegatingFilterProxy is the entry point of Spring Security in a Java web application. Spring Security is based on the concept of Servlet filters. DelegatingFilterProxy

Spring Security Configuration

  • DigestAuthenticationFilter processes Digest Authorization Headers of the HTTP request , placing the result into the SecurityContextHolder.
  • If authentication is successful, the resulting Authentication object will be put in the SecurityContextHolder.
  • If authentication fails, an implementation of AuthenticationEntryPoint will be called. This will always be DigestAuthenticationEntryPoint, which will request the user to authenticate by Digest Authentication again.
  • DigestAuthenticationFilter includes an entry point and UserDetailsService consists of user information such as username , password, activation information, etc.
  • For digest authentication, DigestAuthenticationEntryPoint requires an authentication entry point. Entry point needs a key and a realm.

What is Spring Security OAuth2?

  • Spring security provides comprehensive security services for j2ee-based enterprise software applications.Oauth is an open-authorization protocol that allows accessing resources of the resource owner by enabling the client applications on http services, such as gmail, github, etc.
  • Spring Security OAuth2 is a sub-project under Spring Security whose target is to help build OAuth2 enabled Consumer and Provider Java application. We can add Spring Boot starter projects to enable Spring Security OAuth2 in Spring Boot.

What is Digest Authentication?

Digest authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

What are Authorities in Authentication object?

Spring Security provides a variety of options for performing authentication. These follow a simple contract - an Authentication request is processed by an AuthenticationProvider and a fully authenticated object with full credentials is returned.
Authorities

What Is A Security Context?

Security context in Spring Security includes details of the principal currently using the application. Security context is always available to methods in the same thread of execution, even if the security context is not explicitly passed around as an argument to those methods.

What is ProviderManager in Spring Security?

A ProviderManager is one of the commonly used implementation of AuthenticationManager. It has the list of Authentication to serve the request authentication. ProviderManager

What is OAuth2 Authorization code grant type?

The Authorization Code Grant Type is probably the most common of the OAuth 2.0 grant types that you'll encounter. It is used by both web apps and native apps to get an access token after a user authorizes an app.

What are Runners in Spring Security?

Application Runner and Command Line Runner interfaces lets you to execute the code after the Spring Boot application is started. You can use these interfaces to perform any actions immediately after the application has started.
  • Application Runner- Application Runner is an interface used to execute the code after the Spring Boot application started. The example given below shows how to implement the Application Runner interface on the main class file.
    package com.tutorialspoint.demo;
    
    import org.springframework.boot.ApplicationArguments;
    import org.springframework.boot.ApplicationRunner;
    import org.springframework.boot.SpringApplication;
    import org.springframework.boot.autoconfigure.SpringBootApplication;
    
    @SpringBootApplication
    public class DemoApplication implements ApplicationRunner {
       public static void main(String[] args) {
          SpringApplication.run(DemoApplication.class, args);
       }
       @Override
       public void run(ApplicationArguments arg0) throws Exception {
          System.out.println("Hello People from Application Runner");
       }
    }
    
  • Command Line Runner- Command Line Runner is an interface. It is used to execute the code after the Spring Boot application started.The example given below shows how to implement the Command Line Runner interface on the main class file.
    package com.tutorialspoint.demo;
    
    import org.springframework.boot.CommandLineRunner;
    import org.springframework.boot.SpringApplication;
    import org.springframework.boot.autoconfigure.SpringBootApplication;
    
    @SpringBootApplication
    public class DemoApplication implements CommandLineRunner {
       public static void main(String[] args) {
          SpringApplication.run(DemoApplication.class, args);
       }
       @Override
       public void run(String... arg0) throws Exception {
          System.out.println("Hello people from Command Line Runner");
       }
    }
    

What are All Security Layers In Spring Security Framework?

  • Authentication
  • Web request security
  • Service layer and domain object security

What Are Access Controls In Spring Security?

  • The files in the directory "/secure" should only be visible to authenticated users.
  • The files in the directory "/secure/extreme" should only be visible to Supervisors.
  • Withdrawal and deposits can be made only by Tellers and Supervisors.
  • Overdraft limit for an account can be exceeded only by Supervisors.

Name the modules of the Spring framework?

The modules of the Spring framework are:
  • Test
  • Data Access
  • AOP
  • Web
  • Spring framework

What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration?

  • ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous() instead, which has the same meaning.
  • ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.

What is Hashing in Spring Security?

Hashing is a general security concept wherein we convert a String into an encoded string, according to the Hashing algorithm used. Hashing method should take password as input and outputs the hashed string. This hashed string should be stored in DB instead of plain text. Whenever user provides password to authenticate, in the back-end, we convert that password to the hashed string using the same hashing algorithm, and then match this to the stored string in the DB.

What is Actuator in Spring Security?

Spring Boot Actuator provides secured endpoints for monitoring and managing your Spring Boot application. By default, all actuator endpoints are secured. In this chapter, you will learn in detail about how to enable Spring Boot actuator to your application.

How is Security mechanism implemented using Spring?

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications. Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements. Spring makes use of the DelegatingFilterProxy for implementing security mechanisms. It is a Proxy for standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface.