Spring Security Interview Questions.
In this post we will look at Spring Security Interview questions. Examples are provided with explanation.
- Explain Spring Security Architecture using Spring Boot?
- What is OAuth2 Authorization code grant type? How to implement it using Spring Boot Security?
- Using Spring Boot Security how to refresh expired JSON Web Token?
- What is JWT ? How to implement it using Spring Boot Security
- What is OAuth2 Client Credentials Grant? How to implement it using Spring Boot Security
- What is OAuth2 Password Grant? How to implement it using Spring Boot Security
- How to configure Spring Security using Spring Boot?
- How to create Custom Login Page using Spring Boot Security?
- How to do authentication against database tables using Spring Boot Security?
- How to configure Spring Security with in-memory configuration?
- What is the use of Spring Boot Security AuthenticationHandler class?
- What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration?
- How to configure DelegatingFilterProxy?
- How to configure Spring Security using Spring MVC?
Explain Spring Security Architecture using Spring Boot?Let us understand how Spring Security Works.
Understand Spring Security Architecture and implement Spring Boot Security
How is Security mechanism implemented using SpringSpring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications. Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.
Spring makes use of the DelegatingFilterProxy for implementing security mechanisms. It is a Proxy for standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface. Its the starting point in the springSecurityFilterChain which instantiates the Spring Security filters according to the Spring configuration
Some of the features of Spring Security are
- Comprehensive and extensible support for both Authentication and Authorization
- Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
- Servlet API integration Optional integration with Spring Web MVC
What is OAuth2 Authorization code grant type? How to implement it using Spring Boot Security?OAuth (Open Authorization) is a simple way to publish and interact with protected data.
It is an open standard for token-based authentication and authorization on the Internet. It allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
The OAuth specification describes five grants for acquiring an access token:
- Authorization code grant
- Implicit grant
- Resource owner credentials grant
- Client credentials grant
- Refresh token grant
If you are a new user you need to signup. You can signup using google or facebook account. When doing so you are authorizing Google or Facebook to allow quora to access you profile info with Quora. This authorizing is done using OAuth. Here you have in no way shared your credentials with Quora.
Understanding What Is OAuth2
Spring Boot OAuth2 Part 1 - Getting The Authorization Code
Spring Boot OAuth2 Part 2 - Getting The Access Token And Using it to fetch data.
Using Spring Boot Security how to refresh expired JSON Web Token?In previous tutorial we had implemented Spring Boot + JWT Example. We had also covered the topic of JWT Expiration. We had implemented the solution such that if the JWT has expired then the user gets JWTExpiredException.
Suppose our requirement is such that if the token has expired, still the user should be allowed to access the system if the token is valid. That is the token should be refreshed or a new valid token should be provided.
We will be working on a solution where if the user he receives JWT expired exception, then he can call another API with the expired token. A new token will then provided to the user which he can use for future interactions. Previously we had implemented an example for programmatically consuming the JWT secure API using Spring RestTemplate. We will be testing this refresh Token generation API both using Postman as well as the Spring RestTemplate.
What is JWT ? How to implement it using Spring Boot Security?For better understanding we will be developing the project in stages
- Develop a Spring Boot Application to expose a Simple REST GET API with mapping /hello.
- Configure Spring Security for JWT. Expose REST POST API with mapping /authenticate using which User will get a valid JSON Web Token.
And then allow the user access to the api /hello only if it has a valid token
Spring Boot +JSON Web Token(JWT) Hello World Example