Spring Security Interview Questions and Answers

What is Spring Security, and why is it important?

Spring Security is a powerful and highly customizable authentication and access-control framework. It’s the de-facto standard for securing Spring-based applications. Spring Security is important because it provides a comprehensive security solution that includes authentication, authorization, protection against common exploits, and API security, making it easier for developers to secure their applications effectively.

Code Example: Basic Security Configuration

This basic example showcases how to configure Spring Security to require authentication for every request except for “/”, “/home”, and “/login”. It also configures a custom login and logout process.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
}

How does Spring Security integrate with Spring Boot applications?

Spring Security seamlessly integrates with Spring Boot applications through auto-configuration, which automatically applies security best practices by default. When Spring Security dependency is added to a Spring Boot application, it automatically configures a security model that is suitable for most needs. This integration simplifies securing web applications, APIs, and method-level security through annotations. Developers can further customize security settings to meet their specific requirements without having to write extensive configuration.

In a Spring Boot application, simply including the Spring Security dependency in your pom.xml or build.gradle file is enough to activate the default security settings. Further customizations can be added as needed.

What are the key components of Spring Security?

The key components of Spring Security include Authentication, Authorization, Principal, Granted Authority, and Filters. 

Authentication is the process of verifying who a user is, while Authorization determines what an authenticated user is allowed to do. The Principal represents an entity (typically a user) within the application. Granted Authority refers to the permissions granted to the principal. Filters are used by Spring Security to intercept requests to enforce authentication and authorization.

Can you explain the role of the WebSecurityConfigurerAdapter in Spring Security?

The WebSecurityConfigurerAdapter is a convenience class provided by Spring Security that allows customization to both WebSecurity and HttpSecurity. Developers extend this class and override the relevant methods to configure aspects of web security such as configuring security realms, enabling CSRF protection, and controlling session management. It is the central place to configure web-based security for specific http requests.

@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable() // Disable CSRF protection as an example
            .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasRole("USER")
                .antMatchers("/public/**").permitAll()
                .and()
            .formLogin()
                .loginPage("/login")
                .defaultSuccessUrl("/home")
                .permitAll()
                .and()
            .logout()
                .logoutSuccessUrl("/login?logout")
                .permitAll();
    }
}

How does Spring Security handle authentication?

Spring Security handles authentication by verifying a user’s identity against provided credentials, typically a username and password combination. The process involves the AuthenticationManager interface, which delegates the actual authentication process to an AuthenticationProvider that checks the credentials against a source, such as a database, LDAP, in-memory storage, or other custom source. Upon successful authentication, a fully populated Authentication object, including the principal and granted authorities, is returned, signifying the user’s identity and roles.

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();

        // Here, add your logic to authenticate against a database, for example.
        if ("user".equals(username) && "password".equals(password)) {
            return new UsernamePasswordAuthenticationToken(username, password, Collections.emptyList());
        } else {
            throw new BadCredentialsException("Authentication failed for " + username);
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}

What is the difference between authentication and authorization in Spring Security?

Authentication and authorization are two core components of security in Spring Security. Authentication is the process of verifying who a user is, essentially checking if the credentials provided by the user are valid. Authorization, on the other hand, determines what an authenticated user is allowed to do within the application, based on their roles or permissions. While authentication validates identity, authorization validates permissions and access levels to resources and operations.

How does Spring Security support authorization?

Spring Security supports authorization through the use of interceptors that check access controls before allowing access to certain resources or executing certain methods. It offers several ways to configure authorization, including URL-based authorization, method-level security with annotations like @PreAuthorize and @Secured, and using role-based access control (RBAC). Developers can specify authorization rules in the security configuration to ensure that only authorized users can access specific functionalities.

Method-level Security with @PreAuthorize:

@Service
public class TaskService {

    @PreAuthorize("hasAuthority('ROLE_USER')")
    public void executeUserTask() {
        // Task logic for users
    }

    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    public void executeAdminTask() {
        // Task logic for admins
    }
}

This example shows how to use @PreAuthorize to protect methods based on the authenticated user's roles, ensuring that only users with the specified roles can access these methods.

Can you explain the role of UserDetails and UserDetailsService in Spring Security?

In Spring Security, UserDetails is an interface that provides the necessary information to build an Authentication object from your application's DAOs or other source of security data. It includes information such as the username, password, and the authorities granted to the user. UserDetailsService is an interface used to retrieve the user's authentication and authorization information. It has a single method, loadUserByUsername(String username), which locates the user based on the username. Implementing UserDetailsService allows customization of the process of finding and verifying user information.

This example shows a simple implementation of UserDetailsService, demonstrating how to load user details by username, a crucial step in the authentication process in Spring Security.

@Service
public class MyUserDetailsService implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // Here, implement your logic to find the user by username from a database, for example.
        if ("admin".equals(username)) {
            return new User("admin", "password", Collections.singletonList(new SimpleGrantedAuthority("ROLE_ADMIN")));
        } else {
            throw new UsernameNotFoundException("User not found with username: " + username);
        }
    }
}

What is OAuth2 Authorization code grant type? 

OAuth (Open Authorization) is a simple way to publish and interact with protected data.

It is an open standard for token-based authentication and authorization on the Internet. It allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.

The OAuth specification describes five grants for acquiring an access token:

• Authorization code grant
• Implicit grant
• Resource owner credentials grant
• Client credentials grant
• Refresh token grant

What is CSRF protection in Spring Security, and how is it implemented?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. Spring Security provides CSRF protection by default, preventing such attacks by using a token-based approach. When CSRF protection is enabled, Spring Security requires a unique token in each form submission and AJAX request, ensuring that the request originates from the application’s own pages.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .and()
            .authorizeRequests()
                .anyRequest().authenticated();
    }
}

This configuration enables CSRF protection with a cookie-based token repository.

How can Spring Security be used to secure REST APIs?

Securing REST APIs with Spring Security involves configuring stateless session management since REST is stateless by nature. This typically means disabling session creation and using token-based authentication mechanisms such as JWT (JSON Web Token). Spring Security can be configured to parse the JWT from the request, authenticate the token, and authorize requests based on the token’s validity and the roles/permissions it contains.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
                .antMatchers("/api/public/**").permitAll()
                .antMatchers("/api/private/**").authenticated()
            .and()
            .addFilter(new JWTAuthenticationFilter(authenticationManager()));
    }
}

Spring Security Overview