03 November 2020

#Spring_Security

#Spring_Security

Key Concepts


S.No Topic Sub-Topics
1Spring SecuritySecurity Basics, Authentication vs Authorization, Filters, DelegatingFilterProxy, SecurityContext
2Spring Security ArchitectureFilter Chain, SecurityContextHolder, AuthenticationManager, ProviderManager, AccessDecisionManager
3Security Config SetupSpring Boot Starter Security, @EnableWebSecurity, SecurityFilterChain, HttpSecurity, WebSecurityCustomizer
4AuthenticationAuthentication Object, UserDetails, UserDetailsService, AuthenticationProvider, PasswordEncoder
5Authorization@PreAuthorize, @PostAuthorize, AccessDecisionVoters, Role Hierarchy, Security Expressions
6Password EncodingBCryptPasswordEncoder, DelegatingPasswordEncoder, Password Storage, Strength Factor, Salting
7UserDetailsServiceCustom Implementation, LoadUserByUsername, InMemoryUserDetailsManager, JDBC UserDetails, JPA UserDetails
8AuthenticationProviderProviderManager, DaoAuthenticationProvider, Custom Provider, Exceptions, Authentication Logic
9Security FiltersFilter Ordering, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, LogoutFilter, AbstractAuthenticationProcessingFilter
10CSRF ProtectionCSRF Token, CSRF Header, Form Integration, Stateless CSRF, CSRF Exclusions
11Session ManagementSession Fixation, Session Creation Policy, Concurrent Sessions, Session Timeout, Remember Me
12Remember MePersistent Token, Cookie Based Token, TokenRepository, Auto Login, Security Config
13Login and LogoutCustom Login Page, Default Login Page, Logout Success, Redirects, Failure Handler
14Role Based SecurityRoles vs Authorities, GrantedAuthority, RoleHierarchyImpl, AccessDecision, Policy Rules
15Method Level Security@Secured, @PreAuthorize, @PostAuthorize, Meta Annotations, SpEL Expressions
16JWT AuthenticationJWT Token, Token Filter, Token Parsing, Expiry Handling, Refresh Tokens
17JWT ImplementationToken Generation, Signing, Claims, Token Validation, Blacklist Tokens
18OAuth2 OverviewOAuth2 Roles, Client, Resource Server, Authorization Server, Grant Types
19OAuth2 ClientClient Registration, Redirect URI, Client Secret, Access Token, Scopes
20OAuth2 LoginLogin with Google, Authorization Code Flow, Token Exchange, OpenID Connect, Claims Mapping
21OAuth2 Resource ServerToken Verification, JWKS Endpoint, Bearer Token Filter, Scope Validation, Security Rules
22Spring Security 6 ChangesSecurityFilterChain Bean, Removed WebSecurityConfigurerAdapter, Lambda DSL, AuthorizationManager, New Defaults
23Security for REST APIsStateless Auth, Bearer Token, Unauthorized Handling, Exception Handling, Cors Config
24Cross-Origin Resource SharingCORS Basics, PreFlight Requests, CorsConfiguration, Global CORS, Allowed Origins
25Custom AuthenticationTwo Factor Auth, Token Based Auth, Mobile OTP Auth, Custom Filter, External Service Auth
26Security TestingMockMvc Test, @WithMockUser, Security Test Utils, Access Rules Test, JWT Test
27Actuator SecurityActuator Endpoints, Health Endpoint, Info Endpoint, Role Based Actuator, Token Based Access
28Logging and MonitoringAudit Events, Failure Events, Success Events, Logging Details, Monitoring Logs
29Best PracticesPassword Policy, Account Locking, Token Expiry, Key Rotation, Secure Storage
30Interview PreparationArchitecture Questions, JWT Questions, OAuth Questions, Authorization Rules, Real Time Scenarios

Interview question

Basic

  1. What is Spring Security and why is it used?
  2. How does authentication differ from authorization?
  3. What is the default login page provided by Spring Security?
  4. What is the role of AuthenticationManager in Spring Security?
  5. Explain the purpose of UsernamePasswordAuthenticationToken.
  6. What is SecurityContext and how is it managed?
  7. What is SecurityContextHolder used for?
  8. How does Spring Security handle password encryption?
  9. What is BCryptPasswordEncoder?
  10. What are the main components of Spring Security architecture?
  11. How to enable Spring Security in a Spring Boot project?
  12. What is the role of UserDetails and UserDetailsService?
  13. How do you configure in-memory authentication in Spring Security?
  14. What is the default username and password generated by Spring Boot Security?
  15. What is GrantedAuthority in Spring Security?
  16. How to restrict access to a URL based on user role?
  17. What are @EnableWebSecurity and WebSecurityConfigurerAdapter?
  18. How to disable CSRF protection in Spring Security?
  19. What is the purpose of HttpSecurity?
  20. What is the difference between hasRole() and hasAuthority()?
  21. How to configure form-based login in Spring Security?
  22. What is Remember-Me authentication in Spring Security?
  23. How do you configure a custom login page?
  24. What is AccessDeniedHandler?
  25. How does Spring Security handle logout?

Intermediate

  1. How does Spring Security handle session management?
  2. What is session fixation attack and how to prevent it?
  3. What is the role of DelegatingFilterProxy?
  4. Explain the purpose of FilterChainProxy.
  5. How does Spring Security apply filters in a specific order?
  6. What is CSRF protection and how does it work in Spring Security?
  7. How to customize CSRF tokens in Spring Security?
  8. Explain exception handling in Spring Security.
  9. How does Spring Security integrate with LDAP?
  10. What is the difference between role-based and attribute-based access control?
  11. How to use @PreAuthorize and @PostAuthorize annotations?
  12. What is @Secured annotation in Spring Security?
  13. Explain how method-level security works.
  14. How to customize AuthenticationProvider?
  15. What is DaoAuthenticationProvider?
  16. How does Spring Security handle multiple authentication providers?
  17. Explain the concept of anonymous authentication.
  18. How to configure CORS with Spring Security?
  19. How does Spring Security protect against clickjacking?
  20. How to configure HTTPS/SSL in Spring Security?
  21. What is SecurityFilterChain in Spring Security 5.7+?
  22. How does Spring Security Test framework work?
  23. How to use @WithMockUser in testing?
  24. Explain SecurityMockMvcRequestPostProcessors.
  25. How do you override default error messages in Spring Security?

Advanced

  1. How does JWT authentication work with Spring Security?
  2. How do you generate and validate JWT tokens?
  3. What is the role of OncePerRequestFilter in JWT authentication?
  4. How does stateless authentication differ from stateful?
  5. How does Spring Security integrate with OAuth2?
  6. What is the Authorization Code flow in OAuth2?
  7. Explain the role of PKCE in OAuth2.
  8. How to configure Spring Security as an OAuth2 resource server?
  9. How does Spring Security handle introspection of opaque tokens?
  10. What is OpenID Connect and how does it extend OAuth2?
  11. What is the difference between ID Token and Access Token?
  12. How does Spring Security handle multi-factor authentication?
  13. How to implement OTP-based login in Spring Security?
  14. How to build a custom authentication filter?
  15. What is AbstractAuthenticationProcessingFilter?
  16. How to implement custom access decision logic?
  17. What is a PermissionEvaluator in Spring Security?
  18. How do you secure REST APIs with Spring Security?
  19. How to integrate Spring Security with GraphQL?
  20. How to configure Spring Security with WebFlux?
  21. What is ServerHttpSecurity in reactive security?
  22. How to secure microservices with Spring Cloud Gateway and Spring Security?
  23. What is service-to-service authentication?
  24. How to integrate Spring Security with Keycloak?
  25. How to integrate Spring Security with Okta?

Expert

  1. How does Spring Security handle distributed sessions?
  2. How do you configure single sign-on (SSO) with Spring Security?
  3. What is federated identity management?
  4. How does Spring Security integrate with SAML?
  5. What are the challenges in securing microservices with Spring Security?
  6. How to configure centralized authentication in a microservices architecture?
  7. What is token relay in Spring Security with microservices?
  8. How does Spring Security handle token expiration and refresh?
  9. How to implement fine-grained authorization using SpEL?
  10. What is Attribute-Based Access Control (ABAC)?
  11. How to create custom annotations for access control?
  12. How does Spring Security handle reactive streams authentication?
  13. How to implement security in event-driven architectures?
  14. What are security best practices for Spring Security in production?
  15. How to secure WebSockets with Spring Security?
  16. How to prevent brute force attacks in Spring Security?
  17. How to implement account lockout after multiple failed logins?
  18. How to implement rate limiting with Spring Security?
  19. How does Spring Security integrate with external IAM systems?
  20. How to handle security in CI/CD pipelines using Spring Security?
  21. How to implement zero trust security model with Spring Security?
  22. How to perform penetration testing for Spring Security apps?
  23. How to handle secrets management with Spring Security?
  24. How to use Spring Security with Kubernetes and service meshes?
  25. How to design a large-scale authentication architecture using Spring Security?

Related Topics


   JWT   
   OAuth2   
   OpenID Connect   
   LDAP   
   Active Directory   
   MFA   
   TOTP   
-
Labels: , ,