Hello guys, if you are preparing for Java and Spring Developer interview then
you should prepare about Spring Security. Since Security is an important topic
and Spring security is the most popular framework to implement security in Java
web applications, there is always a few questions based upon Spring Security in
Java developer interviews. In the past, I have shared
Spring Boot questions, Spring Data JPA Question,
Spring Cloud Questions, and
Microservices Interview Questions
and in this article, I will share 20 popular Spring security questions for
practice. I have also shared answers so that you can revise key Spring security
concepts quickly but if you think that you need more preparation on certain
topic then you can also checkout this list of
best Spring Security courses
where I have shared online courses to learn Spring security in depth.
Adequately preparing for an interview is always a very important thing for
anyone going for an interview to do. You cannot fail to prepare and then
expect to get good results at the end because proper preparation goes hand in
hand with great results.
An interview can turn around your life so you have to treat it with the
seriousness it deserves. Just imagine getting into an interview room and
immediately seeing the interview panel, you realize that you are not ready at
all for the interview.
Will you run away or will you face the panel? To save yourself from such an
embarrassment, you only have to do one thing and that is to get ready.
Getting ready is not just saying to yourself you are ready or telling your friends that you are ready but it entails you making a step of finding out the types of questions that are usually asked in that particular type of interview.
Getting ready is not just saying to yourself you are ready or telling your friends that you are ready but it entails you making a step of finding out the types of questions that are usually asked in that particular type of interview.
Once you know the kind of questions commonly asked, you will be a step
higher and it will end up being an added advantage to you on the day of the
interview. On my part, I have keenly thought about you and have therefore
researched and compiled questions that you will not miss to find in a Spring
Security interview.
1. What is Spring Security?
Answer: Spring Security is basically a powerful authentication and access control framework. It is highly customizable and it mainly focuses on the provision of both authentication and authorization to Java applications.
2. What are the modules of the Spring framework?
Answer: the Spring framework has four modules as follows:
3. What are some of the predefined filters used in spring security?
Answer: some of the predefined filters according to the order in which they occur are as follows
4. What rules and restrictions do you have to follow in order for DelegatingFilterProxy to work as required?
Answer:
5. What is the security context?
Answer: security context is defined as an interface in the Spring Security framework that defines the minimum security information that is associated with the current thread of execution.
6. What is PasswordEncoder in Spring Security?
Answer: it is a Spring security interface that provides password encoding or password hashing.
7. What are some of the essential features of Spring Security?
Answer: some of the essential features of Spring Security include:
8. What is ProviderManager in Spring Security?
Answer: ProviderManager is basically the default implementation of AuthenticationManager.
9. What is JWT?
Answer: JWT (JSON Web Tokens) are tokens which are generated by a server when user authentication takes place in a web application and thereafter sent to the client. Here is a nice diagram which explains clearly what is JSON Web Token and parts of JWT Token:
10. Why do you need the Intercept-url?
Answer: Intercept-url is used to define the set of URL patterns that the application is interested in to as well configure how they should be handled.
11. How many user roles are there in Spring Security?
Answer: You can define as many user roles as you want in Spring security. For examples an e-commerce application can have following roles
12. What are the security layers in Spring Security framework?
Answer:
13. In which security annotation is Spel used?
You can use Spring expression or Spel in following annotations
14. What is a Principal in Spring Security?
Answer: principal refers to the user who is currently logged in. Spring security allows you method to access security principle so that you know their access for authorizing page access.
15. What is salting? What is password hashing?
Answer: salting is the process of combining random data and a password before password hashing. On the other hand, password hashing is the process of storing encrypted passwords in a database. Here is a nice diagram which explains salting and how to use salted password in Spring and Java:
16. What are the types of advice in AOP?
Answer: Spring Security is a cross cutting concern, so it is implemented using Spring AOP. It provides multiple options for authorization as well as authentication. Following are the common types of advice available on AOP
17. What are the ORM’s supported by Spring?
Answer:
18. What is mutual authentication?
Answer: mutual authentication is a process where both entities in a communications link validate each other. It is also known as two-way authentication.
19. What is the work of @secured and @rolesallowed annotation in Spring Security?
Answer: both of these annotations provide method level security into Spring Beans. The difference between the two is that @Secured is a Spring Security annotation from version 2.0 going forward while @RolesAllowed is JSR 250 annotation.
20. Why does application go in endless loop when you try to login?
Answer: this only happens when login page is a secured resource. Ordinarily, login page should not be secured but instead marked as ROLE_ANONYMOUS.
21. @EnableGlobalMethodSecurity annotation is used in Spring Security
to secure which layer?
You can use EnableGlobalMethodSecurity annotation to secure your Service layer. From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework’s original @Secured annotation. From 3.0 you can also make use of new expression-based annotations.
22. What is Authentication and Authorization in spring Security? which comes first?
Authentication is process of validating the user who he claims to be. Once the person is authenticated, he is allowed to perform certain actions based on his role, which is authorization. This means authentication comes first.
23. In Spring Security, what is the name of the class retrieving the authentication information from the database for a given username?
In Spring Security, UserDetailsService is used by DaoAuthenticationProvider for retrieving a username, password, and other attributes for authenticating with a username and password. Spring Security provides in-memory and JDBC implementations of UserDetailsService. You can define custom authentication by exposing a custom UserDetailsService as a bean
24. In Spring Security, which class holds the information regarding high level user permissions?
In spring Security, GrantedSecuirty class is an authority that is granted to the principal on the Authentication (i.e. roles, scopes, etc.)
25. In Spring Security, which Servlet Filter intercept all the incoming requests sent to an application?
Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the Servlet container’s lifecycle and Spring’s ApplicationContext. The Servlet container allows registering Filters using its own standards, but it is not aware of Spring defined Beans. DelegatingFilterProxy can be registered via standard Servlet container mechanisms, but delegate all the work to a Spring Bean that implements Filter.
26. Which class holds user information such as the username and password before Authentication in Spring Security?
In Spring Security, UserDetails is returned by the UserDetailsService. The DaoAuthenticationProvider validates the UserDetails and then returns an Authentication that has a principal that is the UserDetails returned by the configured UserDetailsService
27 Spring Security Interview Questions with Answers for Experienced Java Developers
Here are the 20 Spring security questions you can prepare to do well on
Spring Developer interview. I have tried to covered important Spring
security concepts through these questions but if you think something is
missing, feel free to suggest ion comments. If you have a Spring
security question whose answer you don't know, feel free to share in
comments and I will try to answer.
1. What is Spring Security?
Answer: Spring Security is basically a powerful authentication and access control framework. It is highly customizable and it mainly focuses on the provision of both authentication and authorization to Java applications.
2. What are the modules of the Spring framework?
Answer: the Spring framework has four modules as follows:
- Test
- Data Access
- AOP
- Web
3. What are some of the predefined filters used in spring security?
Answer: some of the predefined filters according to the order in which they occur are as follows
- SecurityContextPersistenceFilter – it stores the SecurityContext contents between HTTP requests.
- ConcurrentSessionFilter – responsibe for handling concurrent sessions.
- UsernamePasswordAuthenticationFilter – it is the most popular authentication filter.
- ExceptionTranslationFilter – it is responsible for handling exceptions thrown by the security interceptors.
- FilterSecurityInterceptor – it secures HTTP resources.
4. What rules and restrictions do you have to follow in order for DelegatingFilterProxy to work as required?
Answer:
- The target bean must implement the javax.servlet.Filter interface.
- Declaring delegating filter proxy to your web.xml as a filter is a must.
- Filter-name element and target bean must have the same name.
5. What is the security context?
Answer: security context is defined as an interface in the Spring Security framework that defines the minimum security information that is associated with the current thread of execution.
6. What is PasswordEncoder in Spring Security?
Answer: it is a Spring security interface that provides password encoding or password hashing.
7. What are some of the essential features of Spring Security?
Answer: some of the essential features of Spring Security include:
- It supports authentication and authorization in a very organized, comprehensive and flexible manner.
- It integrates with Servlet API.
- It provides optional integration with Spring Web MVC.
- Facilitates detection and prevention of attacks.
8. What is ProviderManager in Spring Security?
Answer: ProviderManager is basically the default implementation of AuthenticationManager.
9. What is JWT?
Answer: JWT (JSON Web Tokens) are tokens which are generated by a server when user authentication takes place in a web application and thereafter sent to the client. Here is a nice diagram which explains clearly what is JSON Web Token and parts of JWT Token:
10. Why do you need the Intercept-url?
Answer: Intercept-url is used to define the set of URL patterns that the application is interested in to as well configure how they should be handled.
11. How many user roles are there in Spring Security?
Answer: You can define as many user roles as you want in Spring security. For examples an e-commerce application can have following roles
- Tellers
- Supervisors
- Plain Users
12. What are the security layers in Spring Security framework?
Answer:
- Authentication
- Web request security
- Service layer and domain object security
13. In which security annotation is Spel used?
You can use Spring expression or Spel in following annotations
- @PostFilter
- @PreAuthorize
- @PostAuthorize
- @PreFilter
14. What is a Principal in Spring Security?
Answer: principal refers to the user who is currently logged in. Spring security allows you method to access security principle so that you know their access for authorizing page access.
15. What is salting? What is password hashing?
Answer: salting is the process of combining random data and a password before password hashing. On the other hand, password hashing is the process of storing encrypted passwords in a database. Here is a nice diagram which explains salting and how to use salted password in Spring and Java:
16. What are the types of advice in AOP?
Answer: Spring Security is a cross cutting concern, so it is implemented using Spring AOP. It provides multiple options for authorization as well as authentication. Following are the common types of advice available on AOP
- After Advice
- Before Advice
- Throws Advice
- Around Advice
- After Returning Advice
17. What are the ORM’s supported by Spring?
Answer:
- JPA (Java Persistence API)
- Hibernate
- JDO (Java Data Objects)
- iBatis
- TopLink
18. What is mutual authentication?
Answer: mutual authentication is a process where both entities in a communications link validate each other. It is also known as two-way authentication.
19. What is the work of @secured and @rolesallowed annotation in Spring Security?
Answer: both of these annotations provide method level security into Spring Beans. The difference between the two is that @Secured is a Spring Security annotation from version 2.0 going forward while @RolesAllowed is JSR 250 annotation.
20. Why does application go in endless loop when you try to login?
Answer: this only happens when login page is a secured resource. Ordinarily, login page should not be secured but instead marked as ROLE_ANONYMOUS.
You can use EnableGlobalMethodSecurity annotation to secure your Service layer. From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework’s original @Secured annotation. From 3.0 you can also make use of new expression-based annotations.
22. What is Authentication and Authorization in spring Security? which comes first?
Authentication is process of validating the user who he claims to be. Once the person is authenticated, he is allowed to perform certain actions based on his role, which is authorization. This means authentication comes first.
23. In Spring Security, what is the name of the class retrieving the authentication information from the database for a given username?
In Spring Security, UserDetailsService is used by DaoAuthenticationProvider for retrieving a username, password, and other attributes for authenticating with a username and password. Spring Security provides in-memory and JDBC implementations of UserDetailsService. You can define custom authentication by exposing a custom UserDetailsService as a bean
24. In Spring Security, which class holds the information regarding high level user permissions?
In spring Security, GrantedSecuirty class is an authority that is granted to the principal on the Authentication (i.e. roles, scopes, etc.)
25. In Spring Security, which Servlet Filter intercept all the incoming requests sent to an application?
Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the Servlet container’s lifecycle and Spring’s ApplicationContext. The Servlet container allows registering Filters using its own standards, but it is not aware of Spring defined Beans. DelegatingFilterProxy can be registered via standard Servlet container mechanisms, but delegate all the work to a Spring Bean that implements Filter.
26. Which class holds user information such as the username and password before Authentication in Spring Security?
In Spring Security, UserDetails is returned by the UserDetailsService. The DaoAuthenticationProvider validates the UserDetails and then returns an Authentication that has a principal that is the UserDetails returned by the configured UserDetailsService
27. What are authentication mechanisms provided by Spring Security?
Spring Security provides the following authentication mechanisms:- Username and Password,
- OAuth 2.0,
- SAML 2.0,
- CAS,
- Remember Me,
- JAAS Authentication,
- OpenID,
- Pre-Authentication Scenarios
- and X509 Authentication
That's all about the
27 Spring Security Interview Questions with Answers for
experienced Java developers. These questions are good for Java
developer with experience 1 to 5 years who have worked in Spring
Framework and implemented authentication and authorization using
Spring Security.
Spring security is a very interesting area or subject that you will
enjoy answering the questions during the interview if at all you have
gone through the mentioned questions very well. If you have not
mastered all the above questions, please take your time and go through
the questions once again and am sure you will be able to see that
these questions are just like any other questions and you can answer
them very easily provided you are confident enough before the
interviewing panel.
Always remember that your confidence during the interview day depends on how well you have prepared yourself. Don’t shift your focus to anything else but keep on internalizing the questions and answers and you will surely be proud of yourself at the end.
Always remember that your confidence during the interview day depends on how well you have prepared yourself. Don’t shift your focus to anything else but keep on internalizing the questions and answers and you will surely be proud of yourself at the end.
Other Java and Spring Tutorials and Questions you may like
Thanks for reading this article so far; if you find these
Spring Security interview questions and answers useful, please share
them with your friends and colleagues.
- 5 courses to learn Spring Boot and Spring Cloud ( courses)
- 15 Spring Data JPA Interview Questions with answers (questions)
- 15 Spring Cloud Interview Questions for Java developers (answers)
- 15 Microservices Interview questions (answers)
- 5 Courses to learn Spring Cloud and Microservices (courses)
- 10 Advanced Spring Boot Courses for Java Programmers (courses)
- 5 Course to Master Spring Boot online (courses)
- 10 Tools Java Developers use in their day-to-day life (tools)
- Top 5 Books and Courses to learn RESTful Web Service (books)
- 13 Spring Boot Actuator questions with answers (Actuator)
- 3 ways to change Tomcat port in Spring Boot (tutorial)
- 5 Spring Boot Annotations for full-stack Java developers (tutorial)
- 10 Spring MVC annotations Java developers should learn (annotations)
- 20 Kubernetes Interview Questions with Answers (ks8s questions)
- Top 5 Courses to learn Microservices in Java? (courses)
- 10 Courses to learn Spring Security with OAuth 2 (courses)
- 3 Best Practices Java Programmers can learn from Spring (best practices)
P. S. - If you want to learn about Spring Security and look for best
Spring Security online course, I also recommend you join these
best Spring Security online courses
on Udemy and Baeldung. It's one of the best free courses to learn
Spring Boot for Java developers.
No comments:
Post a Comment
Feel free to comment, ask questions if you have any doubt.