03 November 2020

#Spring_Security

#Spring_Security

Key Concepts


Topic Sub-Topics Basic Intermediate Advanced Expert
Authentication Basics UsernamePasswordAuthenticationToken, AuthenticationManager
Authorization Basics Role-based access, Authority checks
Security Filters FilterChainProxy, DelegatingFilterProxy
CSRF Protection CSRF token, CsrfFilter
Password Encoding BCryptPasswordEncoder, DelegatingPasswordEncoder
UserDetailsService Custom user details, InMemoryUserDetailsManager
Method Security @PreAuthorize, @PostAuthorize, @Secured
SecurityContext SecurityContextHolder, ThreadLocal
Session Management Session fixation, Concurrent sessions
Remember-Me Authentication Persistent tokens, Cookies
Exception Handling AccessDeniedHandler, AuthenticationEntryPoint
JWT Authentication Token generation, Token validation
OAuth2 Login Authorization Code flow, PKCE
Resource Server JWT validation, Introspection endpoint
OpenID Connect ID Token, UserInfo endpoint
Multi-Factor Authentication OTP, TOTP, SMS/Email
Custom Authentication Custom AuthenticationProvider, AuthenticationToken
Custom Filters OncePerRequestFilter, AbstractAuthenticationProcessingFilter
Access Control Expressions SpEL, custom permission evaluators
Security Testing WithMockUser, Spring Security Test
Reactive Security Spring WebFlux Security, ServerHttpSecurity
Microservices Security Service-to-service auth, Gateway filters
Integration with LDAP LDAPAuthenticationProvider, Active Directory
Security Hardening Headers, XSS, Clickjacking protection
Distributed Security SSO, Federated identity, Keycloak/Okta integration

Spring Security Annotations

🔑 Authentication & Authorization

  • @EnableWebSecurity - Enables Spring Security configuration.
  • @AuthenticationPrincipal - Access the currently authenticated user in a controller.
  • @WithMockUser - Used in tests to mock an authenticated user.
  • @WithUserDetails - Used in tests with a UserDetailsService-based user.

🛡️ Method-Level Security

  • @EnableMethodSecurity (Spring Security 6+) - Enables method-level security annotations.
  • @EnableGlobalMethodSecurity (Legacy) - Enables method-level security (pre Spring 6).
  • @Secured - Restricts access to methods by roles.
  • @PreAuthorize - Defines access before a method is invoked (using SpEL).
  • @PostAuthorize - Defines access after a method is invoked (using SpEL).
  • @PreFilter - Filters input collection/array before method execution.
  • @PostFilter - Filters return values after method execution.

🧩 OAuth2 & OpenID Connect

  • @EnableOAuth2Sso - Enables OAuth2 Single Sign-On.
  • @EnableAuthorizationServer - Marks a configuration as an OAuth2 Authorization Server.
  • @EnableResourceServer - Marks a configuration as a Resource Server.
  • @RegisteredOAuth2AuthorizedClient - Injects an authorized OAuth2 client.
  • @CurrentSecurityContext - Access the current SecurityContext.

🔍 Testing & Mocking

  • @WithAnonymousUser - Simulates an anonymous (unauthenticated) user in tests.
  • @WithSecurityContext - Customizes security context for tests.

⚙️ Miscellaneous

  • @Order - Defines filter chain execution order in Spring Security filters.
  • @EnableReactiveMethodSecurity - Enables method-level security for WebFlux.

Interview question

Basic

  1. What is Spring Security and why is it used?
  2. How does authentication differ from authorization?
  3. What is the default login page provided by Spring Security?
  4. What is the role of AuthenticationManager in Spring Security?
  5. Explain the purpose of UsernamePasswordAuthenticationToken.
  6. What is SecurityContext and how is it managed?
  7. What is SecurityContextHolder used for?
  8. How does Spring Security handle password encryption?
  9. What is BCryptPasswordEncoder?
  10. What are the main components of Spring Security architecture?
  11. How to enable Spring Security in a Spring Boot project?
  12. What is the role of UserDetails and UserDetailsService?
  13. How do you configure in-memory authentication in Spring Security?
  14. What is the default username and password generated by Spring Boot Security?
  15. What is GrantedAuthority in Spring Security?
  16. How to restrict access to a URL based on user role?
  17. What are @EnableWebSecurity and WebSecurityConfigurerAdapter?
  18. How to disable CSRF protection in Spring Security?
  19. What is the purpose of HttpSecurity?
  20. What is the difference between hasRole() and hasAuthority()?
  21. How to configure form-based login in Spring Security?
  22. What is Remember-Me authentication in Spring Security?
  23. How do you configure a custom login page?
  24. What is AccessDeniedHandler?
  25. How does Spring Security handle logout?

Intermediate

  1. How does Spring Security handle session management?
  2. What is session fixation attack and how to prevent it?
  3. What is the role of DelegatingFilterProxy?
  4. Explain the purpose of FilterChainProxy.
  5. How does Spring Security apply filters in a specific order?
  6. What is CSRF protection and how does it work in Spring Security?
  7. How to customize CSRF tokens in Spring Security?
  8. Explain exception handling in Spring Security.
  9. How does Spring Security integrate with LDAP?
  10. What is the difference between role-based and attribute-based access control?
  11. How to use @PreAuthorize and @PostAuthorize annotations?
  12. What is @Secured annotation in Spring Security?
  13. Explain how method-level security works.
  14. How to customize AuthenticationProvider?
  15. What is DaoAuthenticationProvider?
  16. How does Spring Security handle multiple authentication providers?
  17. Explain the concept of anonymous authentication.
  18. How to configure CORS with Spring Security?
  19. How does Spring Security protect against clickjacking?
  20. How to configure HTTPS/SSL in Spring Security?
  21. What is SecurityFilterChain in Spring Security 5.7+?
  22. How does Spring Security Test framework work?
  23. How to use @WithMockUser in testing?
  24. Explain SecurityMockMvcRequestPostProcessors.
  25. How do you override default error messages in Spring Security?

Advanced

  1. How does JWT authentication work with Spring Security?
  2. How do you generate and validate JWT tokens?
  3. What is the role of OncePerRequestFilter in JWT authentication?
  4. How does stateless authentication differ from stateful?
  5. How does Spring Security integrate with OAuth2?
  6. What is the Authorization Code flow in OAuth2?
  7. Explain the role of PKCE in OAuth2.
  8. How to configure Spring Security as an OAuth2 resource server?
  9. How does Spring Security handle introspection of opaque tokens?
  10. What is OpenID Connect and how does it extend OAuth2?
  11. What is the difference between ID Token and Access Token?
  12. How does Spring Security handle multi-factor authentication?
  13. How to implement OTP-based login in Spring Security?
  14. How to build a custom authentication filter?
  15. What is AbstractAuthenticationProcessingFilter?
  16. How to implement custom access decision logic?
  17. What is a PermissionEvaluator in Spring Security?
  18. How do you secure REST APIs with Spring Security?
  19. How to integrate Spring Security with GraphQL?
  20. How to configure Spring Security with WebFlux?
  21. What is ServerHttpSecurity in reactive security?
  22. How to secure microservices with Spring Cloud Gateway and Spring Security?
  23. What is service-to-service authentication?
  24. How to integrate Spring Security with Keycloak?
  25. How to integrate Spring Security with Okta?

Expert

  1. How does Spring Security handle distributed sessions?
  2. How do you configure single sign-on (SSO) with Spring Security?
  3. What is federated identity management?
  4. How does Spring Security integrate with SAML?
  5. What are the challenges in securing microservices with Spring Security?
  6. How to configure centralized authentication in a microservices architecture?
  7. What is token relay in Spring Security with microservices?
  8. How does Spring Security handle token expiration and refresh?
  9. How to implement fine-grained authorization using SpEL?
  10. What is Attribute-Based Access Control (ABAC)?
  11. How to create custom annotations for access control?
  12. How does Spring Security handle reactive streams authentication?
  13. How to implement security in event-driven architectures?
  14. What are security best practices for Spring Security in production?
  15. How to secure WebSockets with Spring Security?
  16. How to prevent brute force attacks in Spring Security?
  17. How to implement account lockout after multiple failed logins?
  18. How to implement rate limiting with Spring Security?
  19. How does Spring Security integrate with external IAM systems?
  20. How to handle security in CI/CD pipelines using Spring Security?
  21. How to implement zero trust security model with Spring Security?
  22. How to perform penetration testing for Spring Security apps?
  23. How to handle secrets management with Spring Security?
  24. How to use Spring Security with Kubernetes and service meshes?
  25. How to design a large-scale authentication architecture using Spring Security?

Related Topics


-
Labels: , ,