Introduction to Spring Security
When you want to secure your web application from the threats of being hacked, you need to think differently with multiple layers of protection. Spring Security does exactly this for you. A watchman of a building has a questionnaire session with the newcomer. Similarly, the watchman of our web application, i.e., Spring Security, asks multiple questions to make sure what data is available and who can access that data. Thus, this security will secure your application by giving you the login/logout functionality, allow/block access to URLs to logged-in users, and keep a watch on the actions of the logged-in users. Moreover, it handles common vulnerabilities like session fixation, clickjacking, click site request forgery, and many more. Spring security provides you the benefit of both authorization and authentication by checking who you are and what your role is. We will discuss the Spring Security Interview Questions here.
Spring Security Interview Questions
For shortlisting the best candidate for the job of a network security developer, questions and answers based on Spring Security are asked frequently. So let’s look at a few short and crisp questions and answers, which are essential to understand the concept easily.
- How does Spring Security deal with Cross-Cutting concerns?
For the actions occurring simultaneously, Spring Security uses Spring AOP (Aspect Oriented Programming) internally. Therefore, more than one user can access the data without being interconnected at a time. The cross-cutting concerns are called filters in Spring Security, and these intercept every request and then pass the information to a particular servlet. Some of the built-in Security Filters are X509AuthenticationFilter, UsernamePasswordAuthenticationFilter, DigestAuthenticationFilter, BasicAuthenticationFilter, OAuth2LoginAuthenticationFilter, Saml2WebSsoAuthenticationFilter, and many more. Org.spring framework.web.filter.DelegatingFilterProxy Filter class is needed in Spring Security.
- How to define a Principal inside a Security Context Holder?
Spring Security uses an Authentication object to represent the information stored in the SecurityContextHolder about the user currently active on the application. The currently logged-in user’s identity is represented by a Principal, a String object or a complex UserDetail object. A small code can define the Principal as:
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof UserDetails)
String username = ((UserDetails)principal).getUsername();
String username = principal.toString();
- What is the difference between a SecurityContext and a SecurityContextHolder?
The SecurityContext object stores the information of the principal currently active in using the application. This uses a ThreadLocal object (SecurityContextHolderStrategy) by default, and therefore, it is always available to methods in the same object of execution. The SecurityContextHolder is a wrapper object for SecurityContext and the strategy of SecurityContextHolder.
- What is the criteria to add or replace Filters?
Spring Security maintains an internal filter chain where each filter is placed in order and given an individual task and is removed or replaced, or added from the configuration depending on the requirement of services.
- What will be your mode of action if the application enters an endless loop after logging in?
If this situation occurs, it means that you have not made the Login page publically available. So, remove the secured resource and mark it as ROLE_ANONYMOUS. This will make Login possible for the newcomers.
- Give the list of Security Layers in the Spring Security Framework.
The Spring Security Framework comprises three layers for securing the application. The layers are termed as:
- Authentication – Looks at the identity of the user
- Web Request Security – Securing the communication between the user and the server
- Service Layer and Domain Object Security – Securing the logic and algorithms used to operate the application efficiently
- What is the error message displayed when authentication fails and how to override it?
When Authentication fails for the given user id and password, the message “Bad Credentials” pops up when someone Login into the application where Spring Security is applied.
Spring Display: Bad credentials (Default message)
To override and display “Invalid username and password” in case of the wrong Authentication, find which key generates what error message in the spring security message.properties file, and redefine it according to your wish like-
AbstractUserDetailsAuthenticationProvider.bad credentials = Invalid username or password
- Which JAVA and Spring Version will you use for applying Spring Security?
Spring Security 3.0 and JDK 1.5 are the versions of Spring and JAVA, respectively, that used when we want to apply Spring Security to our application.
- From the perspective of the Application, how many users are needed in the Spring Security system?
From the Applications perspective, three users play an important role in the Spring Security system. These are:
- Supervisors – Head user and have access to almost all the resources
- Tellers – Linkers between the supervisor and the plain user
- Plain Users – Customers/ Newcomers
These are classified based on their role.
- What is the difference between AuthenticationManager and ProviderManager in Spring Security?
The details of how will the Authentication take place are showed by AuthenticationManager and has the reference of all the AuthenticationProviders to select the best for our application in Spring Security. On the other hand, a ProviderManager is one of the most commonly used implementations of the AuthenticationManager and has the list of all the requests for Authentication to serve the users in Spring Security.
- How can we protect our passwords from hackers in the Spring Security system?
To protect your password from hacking, create it in plain text and use hashing and salting, which are inbuilt functions of Spring Security. In general terms, Hashing is the process of converting a String into an encoded string according to the various algorithms. For example, in the String Security system, the input password is converted into a hashed string using Hashing algorithms. These are stored in DB instead of plain text and matched with the password provided during Authentication by converting the password that user-provided currently into the hashed string using the same algorithm. But, the hackers have found the key to break this security. No worries, Spring Security has found the solution to Salting. In the Salting process, an extra string is added with the password to the hashing algorithm, and this finally makes it difficult for the hackers to encode the combination in the rainbow table.
- What is the difference between Authentication and Authorization?
Authentication refers to a user’s identity. It validates the question, “Who are you.” This process is carried out before Authorization and checks the Principal and Credentials provided by the user during login. Credentials are the passwords, and Principal is the username. There are three ways of Authentication – knowledge-based authentication, possession-based authentication, and the mix of both. After the process of Authentication is complete, Authorization comes into the process. It validates the question, “What files can you access.” Based on the user’s role, Spring Security offers access to a certain set of resources or data stored in the application. These two processes are the key features of this security system.
- What is the difference between Granted Authority and Roles?
Granted Authority is nothing more than a bunch of permissions that are allowed to the user to access the data stored in the application, and Roles are the group of Authorities assigned together in Spring Security. For example:
Login and Search
Here, log in and search are the granted authorities to the person playing the user’s role. For example, if the user is a supervisor, he can have granted authority like update employees, create the data, search, etc.
Hence, the Authority is decided as per the Role of the user. Authentication object store the collection of Grant Authority.
- What is the role of Intercept-URL in Spring Security?
All the URLs used in the application should be secured. The access is provided according to the user’s role. But, there needs to be an order in which access is allowed. Intercept-URL does this for you. This element defines the set of URL patterns and configures how they should be handled. The pattern is matched with the incoming URLs requests using the ant path style syntax as:
?matches one character
*matches zero or more characters
**matches zero or more directories
The matching is done in the order in which the elements are declared in the process, giving preference to the specific patterns than the general ones.
- What happens when a user tries to access the resource without authentication in Spring Security?
When a user tries to access the unauthenticated URL/ resource, Spring Security sends the user back to the form of Authorization to fill in the login details. This entry point to check the access of some data is called AuthenticationEntryPoint in Spring Security. Then, the user access is checked by FilterSecurityInterceptor in the SecurityFilterChain. Thus, providing a powerful layer of security.
Finding new ways to secure the data in the digital world is a continuous task. New challenges bring new inspirations to update the security system. These questions will guide you to crack the interview based on Spring Security and lead you to the path of success. Use this knowledge and answer with full confidence to solve all the problems of Spring Security.