Spring Data MCQs
Spring Data MCQs
Answer: B
Explanation:        JpaRepository        extends      PagingAndSortingRepository   (which in turn extends
CrudRepository ) and adds JPA-specific methods such as flush() , saveAndFlush() , and overrides
for saveAll() to return a List             1   .
         1. Which Spring Data interface provides built-in methods for pagination and sorting?
            A. CrudRepository
           B. Repository
           C. PagingAndSortingRepository              2
D. JpaRepository
Answer: C
Explanation: PagingAndSortingRepository is specifically designed to include pagination and sorting
abstractions (e.g. findAll(Pageable) and findAll(Sort) )              2   .
         1. What do the keywords First and Top do in a Spring Data JPA query method name?
           A. They must be accompanied by a numeric value.
           B. They are synonyms; without a number they default to 1   3   .
           C. First sorts ascending, Top sorts descending.
           D. They limit results to 100 by default.
Answer: B
Explanation: In Spring Data JPA query derivation, First and Top are interchangeable keywords for
limiting results. If no numeric value is appended (e.g. findFirstBy ), they default to returning one record
 3   .
Answer: A
Explanation: To specify a custom JPQL (or SQL) query on a Spring Data repository method, you use the
                                                           1
@Query annotation on the method. This allows you to provide the JPQL directly in the repository interface
 4   .
Answer: B
Explanation: Spring Data JPA will look for a named query matching the domain class and method name
(e.g. User.findByEmail ). If such a named query exists, it will be used instead of deriving a query from
the method name        5   .
         1. By default, what transaction settings do Spring Data JPA CrudRepository methods use?
           A. Read operations are non-transactional, writes are REQUIRES_NEW .
           B. Read operations have readOnly=true , other methods use default @Transactional      6   .
           C. All methods default to readOnly=false .
           D. Methods are transactional only if annotated manually.
Answer: B
Explanation: By default, Spring Data JPA methods inherited from CrudRepository have transactional
settings from SimpleJpaRepository : read operations run with readOnly=true , and save/delete
operations run with a standard @Transactional (no readOnly flag)            6   .
         1. Are custom query methods (e.g. using @Query ) in Spring Data JPA transactional by default?
           A. Yes, all repository methods are always transactional.
           B. No, they have no transaction settings unless annotated.   7
Answer: B
Explanation: Declared query methods (including those with @Query ) do not inherit transactional settings
by default. If you need them to be transactional, you must annotate them (or their repository) with
 @Transactional explicitly 7 .
         1. Which return types can be used for a repository method that accepts a Pageable argument?
           A. Only Page<T>
           B. Page<T> , Slice<T> , or List<T>            8
           C. Only List<T>
           D. Any Iterable<T>
Answer: B
Explanation: When using a Pageable parameter, Spring Data JPA methods can return Page<T> ,
                                                             2
Slice<T> , or a List<T> . A Page will trigger an extra count query to determine total elements,
whereas Slice and List do not            8   .
    1. What is the key difference between Page<T> and Slice<T> in Spring Data pagination?
      A. Page does not include pagination info, Slice does.
      B. Page triggers a count query for total elements; Slice does not        9       .
      C. Slice always reads the entire table.
      D. There is no difference; they are synonyms.
Answer: B
Explanation: A Page<T> knows the total number of elements and pages (requiring a count query),
whereas a Slice<T> only knows if there is a next slice available and does not execute a count query                   9   .
    1. What effect does the keyword Distinct have in a Spring Data JPA method name?
      A. It causes an error unless @Query is used.
      B. It adds SELECT DISTINCT to the query, ensuring unique results        10   .
      C. It returns a Set<T> instead of a List<T> .
      D. It de-duplicates results in memory after fetching.
      Answer: B
      Explanation: Using Distinct in a method name (e.g. findDistinctByX ) causes Spring Data
      JPA to use a SELECT DISTINCT in the query, thereby returning unique root entities. Note that the
      semantics depend on entity definitions as explained in the documentation             10   .
    2. How can you override the default transaction attributes for a Spring Data JPA repository
       method?
       A. Configure it in application.properties .
      B.   Declare  the  method    again            in    the    repository    and                  annotate     it   (e.g.
       @Transactional(timeout=10) ) 11 .
      C. Use @Transactional only on service layer.
      D. Default attributes cannot be changed.
      Answer: B
      Explanation: To customize transaction settings (e.g. timeout or isolation) for a specific CRUD
      method, you redeclare it in your repository interface and add the desired @Transactional
      attributes. For example, overriding findAll() with @Transactional(timeout=10) will apply
      that timeout   11   .
    3. In Spring Data JPA, how do you add a custom method implementation to a repository?
       A. Annotate the repository interface with @CustomRepository .
      B. Define a separate interface and an implementation class with Impl suffix               12    .
      C. Extend JdbcRepository .
      D. Put the method in the repository interface and Spring will auto-implement it.
      Answer: B
      Explanation:            To   add   custom   behavior,     define   a    fragment                    interface   (e.g.
                                                      3
  CustomizedUserRepository ) and provide a class with the same name plus                                 Impl    (e.g.
  CustomizedUserRepositoryImpl )              12   . Then let your main repository interface extend this
  fragment interface; Spring Data will detect and wire in the implementation.
4. Which Spring Data JPA interface should a repository extend to support JPA Specifications
   (Criteria API predicates)?
   A. JpaSpecificationExecutor 13
  B. QueryByExampleExecutor
  C. QueryDslPredicateExecutor
  D. JdbcRepository
  Answer: A
  Explanation: To use JPA Specification<T> (the Criteria API approach) with a repository, extend
  JpaSpecificationExecutor<T> in your repository interface                         13   . This provides methods like
  findAll(Specification) , allowing composition of criteria predicates.
5. Which interface should a Spring Data repository extend to support Query by Example?
   A. JpaRepository
  B. QueryByExampleExecutor<T>           14
  C. JpaSpecificationExecutor<T>
  D. ExampleRepository
  Answer: B
  Explanation: For Query by           Example functionality, the repository needs to extend
   QueryByExampleExecutor<T>          in addition to a standard repository interface. This provides
  methods like findAll(Example<S>)             14   .
6. In Spring Data JPA Query by Example, which fields are ignored by default in the example
   (probe) object?
   A. Primitive type fields (int, double, etc.)
   B. Fields annotated with @Ignore
  C. All non-null fields
  D. Fields with null values    15
  Answer: D
  Explanation: By default, Query by Example ignores properties that have null values in the probe
  entity. Only non-null fields are included in the matching criteria      15   .
7. Which interface must be extended to use Querydsl with Spring Data JPA repositories?
   A. JpaRepository
  B. JpaSpecificationExecutor
  C. QueryDslPredicateExecutor           16
D. QuerydslJpaRepository
  Answer: C
  Explanation:    To   enable    Querydsl          predicate   support,   your           repository   should   extend
                                                        4
   QueryDslPredicateExecutor<T> . This allows using Querydsl BooleanExpression objects in
   methods like findAll(...)      16   .
   Answer: B
   Explanation: The saveAndFlush() method (provided by JpaRepository ) saves the entity and
   then immediately calls flush() on the EntityManager , forcing the SQL INSERT/UPDATE to be
   executed in the database.
   Answer: B
   Explanation: Methods starting with existsBy... in Spring Data return a boolean . It will be
   true if a matching record is found, false otherwise (essentially checking if count > 0).
10. How can you define pagination in a query method without using an @Query annotation?
   A. Use findAll(Pageable pageable) .
   B. Just declare any method, Spring paginates automatically.
   C. Provide a Pageable parameter and return type Page<T> (or Slice<T> / List<T> ).
   D. It’s not possible without @Query .
   Answer: C
   Explanation: You can add a Pageable parameter to the method signature and use return type
   Page<T> ,    Slice<T> , or     List<T> . Spring Data JPA will apply pagination to the query
   automatically. (E.g. Page<User> findByStatus(String status, Pageable page) .)
11. What annotation allows named parameters in @Query methods and how are they used?
   A. @NamedParam on the method
   B. @Param("name") on each method argument and use :name in JPQL          17
   Answer: B
   Explanation: When using named parameters in an @Query string, each corresponding method
   parameter should be annotated with @Param("paramName") . The JPQL should use :paramName .
   For example: @Query("select u from User u where u.firstname = :firstname") User
   findByFirstname(@Param("firstname") String fname)              17   .
                                                5
12. Which of the following is a valid Spring Data JPA derived query method name?
    A. findUsersByAgeGtAndName(String name, int age)
   B. getByAddress_City(String city)
   C. fetchByEmailLikeOrUsernameContains(String username, String email)
   D. selectByDateBefore(LocalDate date)
   Answer: B
   Explanation: find , get , query are all valid prefixes ( findBy , getBy , etc.). Underscores can
   navigate nested properties (as in Address_City ). The rest must match property names and
   keywords ( Like , Contains ). selectByDateBefore is invalid because it uses selectBy
   which is not a supported prefix.
13. What happens if a query method that is supposed to return one entity finds no results?
    A. Returns null .
   B. Throws EmptyResultDataAccessException .
   C. Returns an Optional.empty() if declared as Optional<T> , otherwise null .
   D. Returns an empty list.
   Answer: C
   Explanation: If a repository method returns a domain type (not a collection) and finds no result, it
   returns null . If the return type is Optional<T> , then it returns Optional.empty() . (Using
    Optional<T> is the recommended approach to handle no-result cases.)
14. Which repository return type can cause Spring Data to issue an automatic count query?
    A. List<T>
   B. Page<T>     9
   C. Slice<T>
   D. Stream<T>
   Answer: B
   Explanation: A Page<T> return type triggers Spring Data to run a count query to determine the
   total number of elements (for pagination calculations)   9   . Slice<T> and List<T> do not cause
   such an extra query.
15. How do you customize a repository’s findAll() method to run non-read-only (e.g. with
   timeout)?
   A. Override the findAll() method in a custom base class.
   B. Redeclare findAll() in the repository interface with @Transactional(timeout=...)           11   .
   C. It cannot be customized; use a service layer.
   D. Use XML config.
   Answer: B
   Explanation: You can redeclare an inherited method (like findAll() ) in the repository interface
   and annotate it with your desired transactional attributes. For instance:
                                                      6
     @Override
     @Transactional(timeout = 10)
     List<User> findAll();
This causes findAll() to run with a 10-second timeout instead of the default 11 .
16. In derived query methods, how can you compare a date range?
    A. findByDateRange(LocalDate start, LocalDate end)
   B. findByDateBetween(LocalDate start, LocalDate end)
   C. findByDateGtAndDateLt(LocalDate start, LocalDate end)
   D. findByDateIn(LocalDate start, LocalDate end)
   Answer: B
   Explanation:         To   query     a   range   of       dates,    use           the     Between             keyword:   e.g.
    findByDateBetween(LocalDate                start,       LocalDate              end) .   Spring     Data       understands
    Between and generates a query where date BETWEEN ? AND ? .
17. What is the result of a deleteBy derived method when no records match the criteria?
   A. It throws an exception.
   B. It does nothing (no error).
   C. It deletes all records (inverted logic).
   D. It returns false .
   Answer: B
   Explanation: Derived delete methods (like deleteByStatus(String status) ) issue a delete
   operation with the given criteria. If no records match, nothing happens (no exception) – it simply
   affects zero rows.
18. Which keyword in a method name would make a query sorted by a given property?
    A. SortBy
   B. OrderBy      18
   C. Sorted
   D. SortedBy
   Answer: B
   Explanation:          Use         OrderBy       followed          by            the      property            name       (e.g.
    findByLastnameOrderByFirstnameDesc(String                        lastname) ).            Spring         Data       supports
    OrderBy to append an ORDER BY clause to the query                 18   .
19. How would you retrieve just the first 5 results in descending order of                                        salary    for
    findByName(String name) ?
   A. findTop5ByName(String name) then sort in code.
   B. findTop5ByNameOrderBySalaryDesc(String name)                             3   .
   C. findByName(String name, Sort.by("salary", DESC)) .
   D. Set a page request of size 5 and sort.
                                                        7
   Answer: B
   Explanation: The method          findTop5ByNameOrderBySalaryDesc(String name)           tells Spring
   Data to limit to 5 results and sort them by salary descending. (Option D also works in practice, but
   the question asks for a single method name solution). Using Top5 and OrderBySalaryDesc is
   the conventional approach    3    .
   Answer: A
   Explanation: existsBy... methods return a boolean : true if at least one row satisfies the
   condition, false otherwise. It effectively checks for the existence of records without retrieving
   them.
21. How can you optimize a pagination query to avoid the overhead of a count query?
    A. Use Slice<T> or return a List<T> instead of Page<T> .
   B. Always include a manual count query in @Query .
   C. Use an SQL hint to skip counting.
   D. It’s not possible; Page<T> always counts.
   Answer: A
   Explanation: Unlike Page<T> , returning a Slice<T> or even just a List<T> will not trigger a
   count query. Use Slice<T> when you only need to know if more pages exist (the slice has
   methods like hasNext() )      8       .
22. In Spring Data JPA, what annotation is typically used on the entity to define a static named
    query?
    A. @Query on the repository method.
   B. @NamedQuery on the entity              19   .
   C. @StaticQuery on the entity.
   D. @NamedNativeQuery on the repository.
   Answer: B
   Explanation: Named queries can be defined with the @NamedQuery annotation on the JPA entity
   class. These JPQL queries are then identified by their name (e.g. User.findByEmailAddress )     19   .
23. Which of the following is true about the @Transactional annotation in Spring Data?
   A. It only applies to service layer and not to repositories.
   B. It only works on public methods, due to proxy-based AOP limitations.
   C. It can be applied to private methods as well.
   D. Transactions always start at application startup.
                                                      8
   Answer: B
   Explanation: Spring’s transaction management is proxy-based by default, so @Transactional
   only works on public methods. Internal or private method calls won’t go through the proxy and thus
   will not be transactional.
24. How would you perform a bulk update or delete in Spring Data JPA?
    A. Execute a loop of repository saves.
    B. Use a repository method annotated with @Modifying and @Query             20   .
   C. Use saveAll() .
   D. Bulk updates are not supported by Spring Data JPA.
   Answer: B
   Explanation: For bulk updates or deletes, use a repository method with @Query specifying the
   JPQL (or SQL) and annotate it with @Modifying along with @Transactional . For example:
     @Modifying @Transactional
     @Query("delete from User u where u.active = false")
     void deleteInactiveUsers();
   Answer: B
   Explanation: In CrudRepository , the saveAll() method returns an Iterable<T> . However,
    JpaRepository           (which extends   CrudRepository ) overrides        saveAll()      to return a
    List<T>    21   1   .
26. Which of these is not a valid query keyword in Spring Data derived queries?
    A. Between
   B. Containing
   C. All
   D. IgnoreCase
   Answer: C
   Explanation: Between , Containing , and IgnoreCase are valid keywords. There is no All
   keyword. (To get all results, you use methods like findAll() without keywords.)
27. How do you paginate and sort results in Spring Data JPA without writing a query?
    A. Use EntityManager manually.
                                                  9
   B. Add a Pageable parameter and/or Sort parameter to the repository method.
   C. It cannot be done without @Query .
   D. Use @OrderBy annotation on the entity fields.
   Answer: B
   Explanation: You can simply add a Pageable and/or Sort parameter to your repository method
   signature   and   Spring    Data   will   automatically   apply   it.   For   example:   List<User>
   findByLastname(String                     lastname,               Sort              sort)             or
    Page<User> findByLastname(String lastname, Pageable page) .
28. What is the effect of calling flush() on a Spring Data JPA repository?
   A. It clears the persistence context.
   B. It synchronizes pending changes to the database immediately.
   C. It rolls back the current transaction.
   D. It refreshes entities from the database.
   Answer: B
   Explanation: Calling flush() forces Hibernate (or the JPA provider) to execute the SQL for any
   pending changes (insert/update/delete) in the persistence context to the database.
   Answer: B
   Explanation: @Query(nativeQuery=true) allows raw SQL. When using pagination with native
   queries, you should provide a countQuery explicitly, because Spring Data cannot derive it for you
    22   .
30. What happens if you call a repository method from another method in the same class and the
    called method is annotated @Transactional with REQUIRES_NEW ?
   A. A new transaction will always be started.
   B. No new transaction will start because the call does not go through the proxy.
   C. It will cause a runtime exception.
   D. The called method is ignored.
   Answer: B
   Explanation: Spring’s transaction annotations work via proxies, so an internal method call does not
   go through the proxy. As a result, the REQUIRES_NEW setting on a private or internal call will be
   ignored (the outer transaction continues)   23   .
31. How do you implement a custom repository method that uses JPA Criteria (Specification) logic?
    A. Implement it in the service layer.
    B. Extend JpaSpecificationExecutor and write a Specification<T> .
                                                        10
    C. Only use JPQL with @Query .
    D. Use Spring Data REST.
    Answer: B
    Explanation: To use criteria (Specification) logic, extend JpaSpecificationExecutor<T> in your
    repository   and    then        call     methods   like            findAll(Specification<T>) ,   passing   a
     Specification instance. This lets you build queries using the JPA Criteria API in a type-safe way.
    Answer: B
    Explanation: As of Spring Security 5.7, WebSecurityConfigurerAdapter is deprecated. The
    recommended approach is to create a @Bean of type SecurityFilterChain and configure
     HttpSecurity inside it      24     .
D. @EnableSecurity
    Answer: C
    Explanation: In recent versions (5.6+), @EnableMethodSecurity is used to activate method-level
    security (replacing the older            @EnableGlobalMethodSecurity ). It enables annotations like
     @PreAuthorize and @Secured on methods                    25   .
  3. What authority does the expression hasRole('ADMIN') check for in Spring Security?
    A. ADMIN (no prefix)
    B. ROLE_ADMIN      26
    C. Role_ADMIN
    D. PERMISSION_ADMIN
    Answer: B
    Explanation: The hasRole('X') expression actually checks if the authenticated user has the
    authority    ROLE_X . For example,            hasRole('ADMIN')             means the user must have the
     ROLE_ADMIN authority      26   .
                                                       11
  B. Only GET and HEAD
  C. Unsafe methods (POST, PUT, DELETE, etc.)      27
D. It is disabled by default.
  Answer: C
  Explanation: CSRF protection is enabled by default for state-changing (unsafe) HTTP methods like
  POST, PUT, DELETE (and PATCH). Safe methods like GET, HEAD, OPTIONS do not require a CSRF token
   27 .
5. In a new Spring Boot application with Spring Security, what are the default username and
   password?
   A. admin / admin
  B. user and a randomly generated password shown in the console             28
  Answer: B
  Explanation: By default Spring Security creates an in-memory user named user with a randomly
  generated password. The password is printed in the console on startup (e.g. Using generated
  security        password:   <random> ). This default behavior is documented in Spring Security
  5.7+   28   .
6. How can you use a plain-text password with Spring Security’s DelegatingPasswordEncoder ?
  A. Prefix the password with {plain}
  B. Prefix the password with {noop}       29
  Answer: B
  Explanation:        The      default          PasswordEncoder         in        Spring   Security   is
  DelegatingPasswordEncoder , which requires you to specify the encoding id. For plain text (no
  encoding), prefix the password with           {noop}   (e.g.   {noop}password ). This tells it to use
  NoOpPasswordEncoder          29   .
  Answer: B
  Explanation: “Remember-Me” allows the application to issue a long-lived cookie so that the user can
  remain authenticated across browser restarts. It essentially remembers the user’s login beyond the
  normal session lifetime.
                                                   12
 8. Where does a JWT token typically get sent in an HTTP request for authentication?
    A. In a cookie named JWT .
   B. As a query parameter token .
   C. In the Authorization header as Bearer <token> .
   D. In the request body.
   Answer: C
   Explanation: By convention, JWTs are sent in the       Authorization      HTTP header using the
    Bearer scheme (e.g. Authorization: Bearer <token> ). This is the standard approach for
   JWT authentication in HTTP.
   Answer: B
   Explanation: Stateless security means the server does not keep a session for the user. Each request
   must carry its own authentication (usually via a token like JWT), and the server won’t store
   authentication state between requests.
10. What is the difference between authentication and authorization in Spring Security?
    A. Authentication checks “who you are”; authorization checks “what you can access.”
    B. They are the same thing.
    C. Authentication is role-based; authorization is user-based.
    D. Authorization must happen before authentication.
   Answer: A
   Explanation: Authentication verifies the identity of a user (e.g. username/password), while
   authorization determines what that authenticated user is allowed to do or access (roles/
   permissions).
11. Which annotation would you use on a method to restrict access to users with the role USER ?
   A. @PreAuthorize("hasRole('USER')")
   B. @Secured("ROLE_USER")
   C. @RolesAllowed("USER")
   D. Any of the above (with proper configuration).
   Answer: D
   Explanation: All listed annotations can restrict access: @PreAuthorize("hasRole('USER')") ,
    @Secured("ROLE_USER") , and @RolesAllowed("USER") (with JSR-250 enabled) all effectively
   check for the ROLE_USER authority. Note that for hasRole('USER') , Spring adds the ROLE_
   prefix automatically.
                                                 13
12. What does CSRF (Cross-Site Request Forgery) protection prevent in a web application?
    A. Cross-site scripting attacks.
    B. Unauthorized commands sent from a user’s browser on behalf of an authenticated user without
    their intent.
    C. Password brute-force attacks.
    D. Data encryption issues.
   Answer: B
   Explanation: CSRF protection is meant to ensure that state-changing requests (like form
   submissions) are intentional and come from the legitimate user. It prevents malicious websites from
   making a user’s browser perform actions on another site where they are authenticated.
13. What must a client typically include in a state-changing form request to pass Spring Security’s
    CSRF protection?
    A. A header X-CSRF-Token or a hidden form field with the CSRF token value.
   B. The session ID as a parameter.
   C. Nothing – only headers matter.
   D. A special cookie named CSRF .
   Answer: A
   Explanation: Spring Security’s CSRF protection requires a valid CSRF token on unsafe requests. This
   token is often included as a hidden form field (in HTML forms) or an HTTP header ( X-CSRF-Token ).
   It must match the token the server expects.
14. How can you disable CSRF protection in a Spring Security configuration?
    A. It’s enabled by default and cannot be disabled.
    B. Call http.csrf().disable() in your HttpSecurity configuration.
   C. Set spring.security.csrf.enabled=false in application.properties .
   D. CSRF is only for REST APIs, so not needed to disable.
   Answer: B
   Explanation: To disable CSRF protection (e.g. for a stateless API), you                   can   call
    .csrf().disable() on the HttpSecurity object in your security configuration.
15. What is the default behavior of Spring Security regarding session creation and management?
    A. Always create a new session for every request.
   B. Never create sessions ( STATELESS by default).
   C. Creates a session when needed ( IF_REQUIRED ) and stores the security context in it.
   D. Only creates sessions on POST requests.
   Answer: C
   Explanation: By default, Spring Security uses SessionCreationPolicy.IF_REQUIRED , meaning
   it will create an HTTP session when necessary (e.g. after successful login) and store the
    SecurityContext in it to keep the user authenticated across requests.
                                                 14
16. Which password encoder should you use for storing passwords securely in production?
    A. NoOpPasswordEncoder (plain text).
   B. BCryptPasswordEncoder or another strong encoder.
   C. StandardPasswordEncoder (SHA-256-based).
   D. PlaintextPasswordEncoder .
   Answer: B
   Explanation: For production, use a strong adaptive encoder like           BCryptPasswordEncoder .
    NoOpPasswordEncoder        is only for testing (plain text), and       StandardPasswordEncoder
   (SHA-256) is considered obsolete. BCrypt or PBKDF2 or SCrypt are recommended.
17. How do you allow unauthenticated access to a specific endpoint (e.g. /public ) in Spring
   Security?
   A. Do nothing; Spring allows all by default.
   B. Use http.authorizeRequests().antMatchers("/public").permitAll() .
   C. Define @PermitAll on that controller method (requires method security).
   D. Both B and C are valid approaches (B is the common way in HTTP config).
   Answer: D
   Explanation: You can permit all requests to         /public    by configuring    HttpSecurity       with
    .authorizeRequests().antMatchers("/public").permitAll() .                   Alternatively,   if   using
   method-level security, you could use       @PermitAll     on that controller method (with JSR-250
   enabled).
18. In OAuth2 (Authorization Code flow), what is exchanged for an access token?
    A. The client ID and secret.
    B. The authorization code (and client credentials) 30 .
    C. The user’s password.
    D. Nothing; the access token is generated without input.
   Answer: B
   Explanation: In the OAuth2 Authorization Code flow, the client exchanges the received authorization
   code (plus its client credentials) for an access token. This ensures the token is issued only after user
   consent.
19. What does the HttpSecurity.csrf() configuration do when left with defaults?
   A. It disables CSRF protection.
   B. It enables CSRF protection for unsafe HTTP methods.
   C. It throws an error on startup.
   D. It only uses CSRF tokens stored in cookies.
   Answer: B
   Explanation: By default,     http.csrf().csrfTokenRepository(...)             is enabled (the default
   config),  which    protects  against    CSRF       for     unsafe     methods.      Calling
    .csrf(Customizer.withDefaults()) explicitly just uses the default CSRF behavior (same as
   enabling it).
                                                  15
20. What is the purpose of the @EnableWebSecurity annotation?
   A. It enables web (HTTP) security in the application.
   B. It turns on CSRF protection only.
   C. It scans for @Controller classes.
   D. It initializes an in-memory database.
   Answer: A
   Explanation: @EnableWebSecurity (on a @Configuration class) triggers the Spring Security
   configuration for web applications. It allows customization of WebSecurity / HttpSecurity and
   typically is included alongside security beans.
21. How do you configure HTTP Basic authentication with Spring Security?
    A. Call http.httpBasic() on HttpSecurity .
   B. By default Spring uses HTTP Basic.
   C. Include a BasicAuthFilter bean.
   D. Use @EnableBasicAuth .
   Answer: A
   Explanation: To enable HTTP Basic auth, you include .httpBasic() in your HttpSecurity
   configuration. For example:
     http.authorizeRequests().anyRequest().authenticated()
         .and().httpBasic();
22. Which HTTP status code does Spring Security return for unauthorized (not authenticated)
    access attempts to protected endpoints?
    A. 200 OK
    B. 401 Unauthorized
    C. 403 Forbidden
    D. 302 Found (redirect to login)
   Answer: B
   Explanation: If a request is unauthenticated, Spring Security responds with HTTP 401
   (Unauthorized). If a user is authenticated but not permitted to access the resource, it returns 403
   (Forbidden). In stateless or REST setups, 401 is common for missing credentials.
23. How can you provide custom user details (username/password) to Spring Security?
    A. Implement UserDetailsService and register it as a bean.
   B. Always rely on the default in-memory user.
   C. Use @User on a class.
   D. Put credentials in application.properties as spring.security.user .
   Answer: A
   Explanation: To use a custom user store, implement            UserDetailsService       (or extend
                                                     16
    JdbcUserDetailsManager , etc.) and register it as a bean. This service loads users by username.
   (You can also configure basic user/password in properties or define in-memory users.)
   Answer: B
   Explanation: antMatchers("/admin").hasRole("ADMIN") means only users who have the
    ROLE_ADMIN authority can access /admin . (Spring automatically adds the ROLE_ prefix for
    hasRole("ADMIN") .)
25. Which of the following defines an OAuth2 Resource Server in Spring Security?
    A. http.oauth2ResourceServer()
   B. @EnableResourceServer (legacy)
   C. Both (A) in newer Spring Security (no annotation), and (B) in older OAuth2 libraries.
   D. @EnableOAuth2Client .
   Answer: C
   Explanation:    In     Spring    Security   5+,   you   typically   configure   HttpSecurity       with
    http.oauth2ResourceServer() and related methods. (The older Spring OAuth module used
    @EnableResourceServer , but that is now deprecated in favor of the new config.)
26. How do you configure Spring Security to allow frame embedding (for H2 console, etc.)?
    A. Spring Security does this by default.
    B. Call http.headers().frameOptions().disable() .
   C. Add X-Frame-Options: SAMEORIGIN header manually.
   D. Use @EnableFrame .
   Answer: B
   Explanation: By default, Spring Security sets X-Frame-Options: DENY . To allow embedding (e.g.
   for H2 console), disable frameOptions with: http.headers().frameOptions().disable() in
   the security config.
27. What happens if you omit .csrf().disable() in a REST API secured by Spring Security?
   A. Nothing; CSRF only affects web apps.
   B. CSRF protection is still active, so state-changing endpoints will be blocked without a token.
   C. Spring will throw an exception on startup.
   D. CSRF is irrelevant for APIs so it's ignored.
   Answer: B
   Explanation: Even for APIs, CSRF protection is enabled by default. If you do not disable CSRF, state-
   changing requests (POST, etc.) will require a valid CSRF token and otherwise be rejected.
                                                     17
28. In Spring Security expressions, what is the difference between             hasRole('USER')     and
    hasAuthority('ROLE_USER') ?
   A. There is no difference; both check for authority ROLE_USER .
   B. hasRole('USER') checks a session attribute, hasAuthority checks roles.
   C. hasRole does not require the ROLE_ prefix, hasAuthority does.
   D. hasRole is only for OAuth2.
   Answer: C
   Explanation:   hasRole('X')        implicitly adds the   ROLE_    prefix (so it checks for authority
    ROLE_X ), while   hasAuthority('Y')         checks the exact authority name you specify. Thus
    hasRole('USER') and hasAuthority('ROLE_USER') are equivalent.
29. Which filter processes form-based login in Spring Security’s filter chain?
    A. UsernamePasswordAuthenticationFilter
   B. FormLoginFilter
   C. BasicAuthenticationFilter
   D. RememberMeAuthenticationFilter
   Answer: A
   Explanation:    For     form     login   (default      Spring       Security    form),
    UsernamePasswordAuthenticationFilter handles the submission of username/password and
   attempts authentication.
30. What header is added to prevent clickjacking, and how is it configured by default?
    A. X-Frame-Options: DENY , enabled by default.
   B. X-Content-Type-Options: nosniff , disabled by default.
   C. Content-Security-Policy: frame-ancestors 'none' , enabled by default.
   D. Strict-Transport-Security , disabled by default.
   Answer: A
   Explanation: Spring Security by default adds X-Frame-Options: DENY to responses, which
   prevents the app from being framed. This is part of clickjacking protection. (It can be customized or
   disabled as needed.)
31. How can you enable CORS (Cross-Origin Resource Sharing) with Spring Security?
    A. It's enabled by default.
    B. Use http.cors() in the security config and define a CorsConfigurationSource bean.
   C. Use @CrossOrigin on controller methods only.
   D. Add CORS headers manually in each response.
   Answer: B
   Explanation: You must enable CORS in Spring Security by calling http.cors() . You also need to
   provide a CorsConfigurationSource bean that defines the allowed origins, methods, etc. The
    @CrossOrigin annotation or manual headers are alternatives but the recommended way is via
   Spring Security config and bean.
                                                 18
32. What is the purpose of the AuthenticationManager in Spring Security?
   A. It manages the user sessions.
   B. It validates credentials and constructs an Authentication object on login.
   C. It stores user details in memory.
   D. It generates JWT tokens.
   Answer: B
   Explanation: An         AuthenticationManager       (often   ProviderManager ) is responsible for
   authenticating  credentials      (e.g.      username/password)          by    delegating   to
    AuthenticationProvider (s). If successful, it returns a fully populated Authentication (user
   with roles).
33. In Spring Security’s filter chain, which filter comes first: BasicAuthenticationFilter or
   UsernamePasswordAuthenticationFilter ?
   A. BasicAuthenticationFilter
   B. UsernamePasswordAuthenticationFilter
   C. They run in parallel.
   D. Order is undefined.
   Answer: B
   Explanation: The UsernamePasswordAuthenticationFilter (form login) is typically placed
   before the BasicAuthenticationFilter (HTTP Basic auth) in the filter chain.
   Answer: B
   Explanation: If you define multiple security configurations (multiple filter chains), you can use
    @Order to control which one applies first (Spring will use the first matching chain). Lower numbers
   have higher priority.
35. How does Spring Security differentiate between a successful and failed authentication
   attempt in an HTTP response?
   A. Success always returns 200 OK; failure returns 401 (or redirect to login).
   B. Both return 200 OK.
   C. Success returns 302 Found; failure returns 500.
   D. It only logs; responses are always 200.
   Answer: A
   Explanation: On successful authentication, the user proceeds (often a 200 or a redirect to original
   URL). On failure, Spring Security typically responds with a 401 Unauthorized (or redirects to the login
   page in web apps).
                                                  19
36. What does the Spring Security expression                 hasAuthority('permission:read')            or
   hasRole('ADMIN') check?
   A. Authority permission:read or authority ROLE_ADMIN .
   B. Group membership.
   C. Cookie values.
   D. Username equals ADMIN.
   Answer: A
   Explanation:     hasAuthority('permission:read')                checks   for   exactly    that   authority.
    hasRole('ADMIN') checks for ROLE_ADMIN . So the combined expression allows users with
   either the permission:read authority or the ROLE_ADMIN authority.
   Answer: B
   Explanation:        UserDetailsService               is    an     interface      with       a     method
    loadUserByUsername(String username) . Implementations fetch user information (username,
   password, granted authorities) from a data source so Spring Security can perform authentication.
38. How do you require HTTPS for all requests in Spring Security?
    A. http.requiresChannel().anyRequest().requiresSecure()
   B. Set server.ssl.enabled=true .
   C. Use http.secure().all() .
   D. Spring Security cannot enforce HTTPS.
   Answer: A
   Explanation:         In         the          security          config,           use
    http.requiresChannel().anyRequest().requiresSecure() to require an HTTPS channel for
   all requests. This will redirect HTTP requests to HTTPS by default.
39. Which of the following is a valid way to configure password encoding in Spring Security 5?
    A.                     <bean                       id="passwordEncoder"
   class="org.springframework.security.crypto.password.NoOpPasswordEncoder"/>
   B.   PasswordEncoder       encoder      =     new     BCryptPasswordEncoder();           and use it for
    UserDetailsService .
   C. Prefix stored password strings with an encoding id (like {bcrypt} or {noop} ).
   D. All of the above (depending on context).
   Answer: D
   Explanation: All methods are valid: you can define a PasswordEncoder bean (like BCrypt). The
    DelegatingPasswordEncoder approach allows prefixing stored passwords with {bcrypt} ,
                                                   20
          {noop} , etc., to pick the encoding on the fly. Note: option A is actually a class; in modern Spring,
          you’d use PasswordEncoderFactories or builders.
     40. How can you test secured methods in Spring without disabling security?
         A. It’s not possible; you must disable security for tests.
         B. Use @WithMockUser or @WithUserDetails in Spring Security test support.
          C. Use @SpringBootTest only.
          D. Use a special test profile.
          Answer: B
          Explanation: Spring Security’s test module provides annotations like                      @WithMockUser            and
          @WithUserDetails to simulate an authenticated user with given roles/authorities for testing
          method-security or web-security endpoints without modifying the actual security configuration.
Sources: Official Spring Data and Spring Security documentation and references 1 13 3 6 15 5 12
2 9 27 26 28 29 .
 1   21java - What is difference between CrudRepository and JpaRepository interfaces in Spring Data JPA? -
Stack Overflow
https://stackoverflow.com/questions/14014086/what-is-difference-between-crudrepository-and-jparepository-interfaces-in-spring
 3   java - Technical differences between Spring Data JPA's findFirst and findTop - Stack Overflow
https://stackoverflow.com/questions/38045439/technical-differences-between-spring-data-jpas-findfirst-and-findtop
                                                               21
18   Supported Keywords in Query Method
https://docs.oracle.com/en/database/other-databases/nosql-database/21.1/java-driver-table/supported-keywords-query-
methods.html
28   java - What is username and password when starting Spring Boot with Tomcat? - Stack Overflow
https://stackoverflow.com/questions/37285016/what-is-username-and-password-when-starting-spring-boot-with-tomcat
22