Sunday, December 19, 2021

Spring Security Interview Questions

Q:- What are some essential features of Spring Security?

Q:- Explain Spring Security Architecture using Spring Boot? 

Q:- What is Spring security authentication and authorization?

Q:- What is principal in spring security?

The principal in an interface it represents the abstract notion of a principal, which can be used to represent any entity, such as an individual, a corporation, and a login id.

or we can say, The principal is the currently logged in user. However, we can retrieve it through the security context which is bound to the current thread and as such it's also bound to the current request and its session.

The Spring Security principal can only be retrieved as an Object and needs to be cast to the correct UserDetails instance:

The principal can be defined directly as a method argument.

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
@RequestMapping("/user")
public class UserController {

    @RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String getUserName(Principal principal) {
        return principal.getName();
    }
}
Alternatively, we can also use the authentication token:
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
@RequestMapping("/user")
public class UserController {

    @RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String getUserName(Authentication authentication) {
        return authentication.getName();
    }
}

Q:- Explain SecurityContextHolder, SecurityContext and Authentication Objects?

  • SecurityContextHolder
  •  SecurityContext
  •  Authentication Objects

Q:- Explain AuthenticationManager, ProviderManager and AuthenticationProviders?

AuthenticationManager:
public interface AuthenticationManager {
  Authentication authenticate(Authentication authentication) throws AuthenticationException;
}
ProviderManager: ProviderManager is the default implementation of AuthenticationManager. It delegates the authentication process to a list of AuthenticationProvider objects.
public class ProviderManager
extends Object
implements AuthenticationManager, MessageSourceAware, InitializingBean
AuthenticationProvider:
public interface AuthenticationProvider {
	Authentication authenticate(Authentication authentication)
			throws AuthenticationException;
	boolean supports(Class<?> authentication);
}
Here are some example of  the authentication-providers like  AbstractJaasAuthenticationProvider, AbstractLdapAuthenticationProvider, AbstractUserDetailsAuthenticationProvider, ActiveDirectoryLdapAuthenticationProvider, AnonymousAuthenticationProvider, AuthenticationManagerBeanDefinitionParser.NullAuthenticationProvider, CasAuthenticationProvider, DaoAuthenticationProvider, DefaultJaasAuthenticationProvider, JaasAuthenticationProvider, LdapAuthenticationProvider, OpenIDAuthenticationProvider, PreAuthenticatedAuthenticationProvider, RememberMeAuthenticationProvider, RemoteAuthenticationProvider, RunAsImplAuthenticationProvider, TestingAuthenticationProvider

Q:- What is Authenticationmanagerbuilder spring boot? 
SecurityBuilder used to create an AuthenticationManager . Allows for easily building in memory authentication, LDAP authentication, JDBC based authentication, adding UserDetailsService , and adding AuthenticationProvider 's.
public class AuthenticationManagerBuilder
extends AbstractConfiguredSecurityBuilder<AuthenticationManager,AuthenticationManagerBuilder>
implements ProviderManagerBuilder<AuthenticationManagerBuilder>

Q:-What is OAuth2 Authorization code grant type? How to implement it using Spring Boot Security?

Q:-Using Spring Boot Security how to refresh expired JSON Web Token?

Q:-What is JWT ? How to implement it using Spring Boot Security

Q:-What is OAuth2 Client Credentials Grant? How to implement it using Spring Boot Security

Q:-What is OAuth2 Password Grant? How to implement it using Spring Boot Security?

Q:- What do you mean by basic authentication?

Q:- What do you mean by digest authentication?

Q:-What do you mean by session management in Spring Security?

  • SessionManagementFilter.
  • SessionAuthneticationStrategy

With these two, spring-security can manage the following security session options:   

  • Session timeouts (amount of time a user can remain inactive on a website before the site ends the session.)
  • Concurrent sessions (the number of sessions that an authenticated user can have open at once).
  • Session-fixation (an attack that permits an attacker to hijack a valid user session).

Q:- Explain SecurityContext and SecurityContext Holder in Spring security.

Q:- Explain spring security OAuth2.

In OAuth2, There are four roles are available as shown below:

  • Resource Owner/User: 
  • Client:
  • Authorization Server:
  • Resource Server:

Q:- What do you mean by OAuth2 Authorization code grant type?

Q:- What is method security and why do we need it?

Q:- What do you mean by HASHING in spring security?

Q:- Explain salting and its usage.

Q:- What is PasswordEncoder?

Q:- Explain AbstractSecurityInterceptor in spring security?

  • FilterSecurityInterceptor:
  • MethodSecurityInterceptor: 

Q:- Is security a cross-cutting concern?

Answer: Yes

  • Logging and tracing
  • Transaction management
  • Security
  • Caching
  • Error handling
  • Performance monitoring
  • Custom Business Rules

Q:- What is SpEL (Spring Expression Language)?

Q:- Name security annotations that are allowed to use SpEL.

Some security annotations that are allowed to use SpEL include: 

  • @PreAuthorize 
  • @PreFilter 
  • @PostAuthorize 
  • @PostFilter

Q:- Explain what is AuthenticationManager in Spring security.

Q:- Explain what is ProviderManager in Spring security.

Q:- What is JWT?

Q:- What is Spring Security Filter Chain?

Q:- Explain how the security filter chain works.

Q:- Name some predefined filters used in spring security and write their functions.

  • SecurityContextPersistenceFilter: 
  • ConcurrentSessionFilter:
  • UsernamePasswordAuthenticationFilter:
  • ExceptionTranslationFilter: 
  • FilterSecurityInterceptor:

Q:- What do you mean by principal in Spring security?

Q:- Can you explain what is DelegatingFilterProxy in spring security?

Q:- Can you explain what is FilterChainProxy in spring security?

Q:- What is the intercept-url pattern and why do we need it?

Q:- Does order matter in the intercept-url pattern? If yes, then in which order should we write it?

Q:- State the difference between ROLE_USER and ROLE_ANONYMOUS in a spring intercept-url configuration.

  • ROLE_USER:
  • ROLE_ANONYMOUS: 

Q:- State the difference between @PreAuthorize and @Secured in Spring security.

Q:- State the difference between @Secured and @RolesAllowed.

Q:-How to configure Spring Security using Spring Boot?

Q:-How to create Custom Login Page using Spring Boot Security?

Q:-How to do authentication against database tables using Spring Boot Security?

Q:-How to configure Spring Security with in-memory configuration?

Q:-What is the use of Spring Boot Security AuthenticationHandler class?

Q:-How to configure DelegatingFilterProxy?

Q:-How to configure Spring Security using Spring MVC

No comments:

Post a Comment