KEMBAR78
Spring Security Interview Problems | PDF | Authentication | Secure Communication
Scribd
Upload
70 views2 pages

Spring Security Interview Problems

The document explains how Spring Security's filter chain operates, detailing key filters and customization options for request processing. It covers implementing stateless authentication using JWT, method-level security annotations, and the distinction between authentication and authorization. Additionally, it outlines integrating Spring Security with OAuth2 for single sign-on (SSO) through configuration and customization steps.

Uploaded by

pbecic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
70 views2 pages

Spring Security Interview Problems

The document explains how Spring Security's filter chain operates, detailing key filters and customization options for request processing. It covers implementing stateless authentication using JWT, method-level security annotations, and the distinction between authentication and authorization. Additionally, it outlines integrating Spring Security with OAuth2 for single sign-on (SSO) through configuration and customization steps.

Uploaded by

pbecic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Spring Security for Strong Senior Developers

How does Spring Security's filter chain work and how can you customize it?
 Spring Security uses a chain of filters to intercept and process requests before reaching
controllers.
 Key filters include:
 SecurityContextPersistenceFilter, UsernamePasswordAuthenticationFilter,
ExceptionTranslationFilter, FilterSecurityInterceptor.
 Customization options:
 Add or remove filters via HttpSecurity or SecurityFilterChain.
 Create custom filters by implementing OncePerRequestFilter or GenericFilterBean.
 Use DSL to define filter order and access rules.
 Filters are ordered to ensure consistent behavior during authentication and
authorization.

How do you implement stateless authentication with JWT in Spring Security?


 Stateless authentication avoids server-side sessions; credentials are stored in JWT
tokens.
 Implementation steps:
 Issue JWT on successful login (with claims, expiry).
 Attach token to Authorization header in subsequent requests.
 Create a filter to extract, validate, and set Authentication in SecurityContext.
 Disable default session creation:
 http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
 Ensure secure signing and validation of JWT (e.g., HMAC, RSA).

How do method-level security annotations like @PreAuthorize and @Secured


work?
 @PreAuthorize — evaluates SpEL expressions before method execution.
 @Secured — simpler role-based check (e.g., @Secured("ROLE_ADMIN")).
 Enable globally via:
 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true).
 Example:
 @PreAuthorize("hasRole('ADMIN') and #id == principal.id")
 Useful for enforcing fine-grained security at the service layer.

What is the difference between Authentication and Authorization in Spring


Security?
 Authentication — verifying user identity (e.g., login, credentials check).
 Authorization — granting access based on roles/permissions.
 Authentication sets the Authentication object in SecurityContextHolder.
 Authorization uses AccessDecisionManager and voters to decide access rights.
 Both are decoupled for flexibility and extensibility.

How would you integrate Spring Security with OAuth2 for single sign-on (SSO)?
 Use Spring Security’s OAuth2 client support:
 spring-security-oauth2-client (for login via Google, GitHub, etc.).
 spring-security-oauth2-resource-server (for JWT and introspection-based
authorization).
 Steps:
 Configure client registration in application.yml (client-id, client-secret, scopes).
 Use @EnableOAuth2Login for browser-based SSO.
 Configure WebSecurityConfigurer to allow redirects and token validation.
 Customize OAuth2UserService to map external identities to internal roles.

You might also like