Below is a list of questions asked frequently during technical interviews on the topic of Spring security. For details and usage of spring security concepts in real-world examples, please check-out these posts:
What is Spring Security?
Spring security is a customizable framework to provide authentication (establishing that user/device credentials are valid) and authorisation (provide access-control by deciding if the user/device is allowed to perform an action within the application) for J2EE applications.
How is Spring security implemented?
Security in Spring is enabled by the use of URL filtering through a
DelegatingFilterProxy which is provided by the Spring framework. In Spring, the filter classes are Spring beans that implements Filter interface, which is defined in the application context, thereby making use of its advanced features such as dependency-injection and auto-configuration. The following is added to your
web.xml, to enable Spring security.
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Name some features of Spring Security.
Spring Security provides support for both Authentication and Authorization. It supports protection against cyber attacks. Spring security provides Servlet API integration with Spring Web MVC.
What is OAuth?
OAuth is an open standard that provides Authoization for third party sevices to access their server resources without exposing the user’s credentials.
Explain salting in Spring security? What are the two methods of salting?
Salting is a password hashing mechanism which secures your Java application by adding an extra string to the password, thereby making it difficult for a hacker to crack passwords and preventing dictionary attacks. The extra string added to the password is called “the salt”. Using a salt means that an attacker has to build a separate dictionary of hashes for each salt value, making the attack complicated. There are two salting methods, namely, Global Salt – one common word is appended to all the passwords and per User Salt – one user attribute (user’s id, email address, etc.) serves as the Salt string for that user’s password.
What is security filter chain?
Spring Security maintains a security filter chain internally where filters can be added/removed from the configuration depending on the services required and each of the filters has a particular responsibility.
Can you name few filters in security filter chain and state the main purpose of each?
SecurityContextand maintains it between HTTP requests.
LogoutFilter– Clears the
SecurityContextHolderwhen logout is requested.
UsernamePasswordAuthenticationFilter– Adds Authentication to
SecurityContextwhen login is requested.
ExceptionTranslationFilter– converts Spring Security exceptions to HTTP response.
FilterSecurityInterceptor– Performs security handling of HTTP resources via a filter implementation and authorizes requests based on authorities.
How would you configure Spring security ?
Spring security can be configured by editing
web.xml or by in extending the
WebSecurityConfigurerAdapter implementation. In both methods, the providers for authentication and authorization can be defined as well as descriptions of application scopes that need authentication and/ or authorization. The user can specify a custom form for login or fallback to the standard login screen provided by Spring.
What is the minimum java and spring version required for spring security?
Minimum version required to enable spring security is Spring security 3.0 and jdk 1.5.
Can individual filters be added while configuring Spring security?
Yes. Based on the services required, filters can be added or replaced, as each filter has a specific responsibility in the filter chain.
What is intercept-url?
intercept-url is used to define a set of url patterns for the filter chain to intercept and handle. It can be configured in the web.xml file as part of the application. Every HTTP request sent to any URL that matches the intercept-url pattern is first passed to the filter chain. Using this method any application scope that needs to be secured can be intercepted and passed to the spring security filter chain.
What is @PreFilter and @PostFilter in spring security? What is the difference between them?
@PostFilter are method-level annotations used in Spring security to filter collection or arrays on the basis of authorization to realize security rules. This can be achieved using expression-based access control to the elements of the collections that are sent to the method as a parameter or are returned by the method. For example, the output of the method could contain a collection of all entities of a certain type which is then passed to a
@PostFilter that removes entities not authorized to be viewed by the current user’s role.
The difference between them is:
@PreFilter filters the collection or arrays before executing the method.
@PostFilter filters the returned collection or arrays after executing the method.
What is the Intercepting filter design pattern?
Intercepting filter pattern is a design pattern used widely in Spring security. For example, the filter and
intercept-url configuration in the
web.xml result in Spring security filter chain setup with a
FilterManager that is responsible for maintaining the list of active filters and for routing any requests to the intercepted URLs through the filter chain relevant to it along with the appropriate session context. This pattern is also extended to the class/ method level via spring security annotations such as
Is it possible to encode password in Spring Security using XML?
Yes, it is possible. Spring security provides the
<password-encoder/> tag is used to encode password. This interface supports the use of passwords which are encoded using a digest algorithm such as MD5 or SHA.
How to configure channel security in Spring?
Spring security provides feature to configure allowing a URL pattern to be accessed over HTTPS/HTTP channel, thereby securing the URL pattern. This can be done by setting the
requires-channel attribute in the
<intercept-url> to the preferred channel name. The value of this attribute can be set to “any” if there is no preference. For example, the following configuration is added to allow a URL pattern to be accessed over HTTPS only:
<intercept-url pattern="/login" access="ROLE_USER" requires-channel="https" />
What is the role of Authentication Manager in Spring security?
In Spring Security, the authentication manager is the main interface that provides authentication services and assumes the job of establishing a user’s identity. The authenticate method will try to authenticate the user using the
org.springframework.security.core.Authentication object (which carries the principal and credentials). If authentication is successful, it returns an Authentication object, complete with information about the granted authorities for the user. If, however, the authentication fails, the method throws an authentication exception.
AuthenticationManager is an instance of Spring Security’s
ProviderManager class and can be created using the
AuthenticationManagerBuilder instance that is available as part of the application context.
What is SecurityContextHolder?
SecurityContextHolder stores request-specific security information and the details of the present security context and includes the details of the principal which is currently interacting with the application.
How is Remember-Me authentication accomplished in Spring security?
Remember-me authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser which is detected during future sessions and causing automated login. Spring Security has two concrete remember-me implementations:
1. Using hashing to preserve the security of cookie-based tokens
2. Using a database or other persistent storage mechanism to store the generated tokens.
Which filter handles session management in Web Application security?
SessionManagementFilter is the filter used to handle session management and it checks if a user has been authenticated during the current request.
How will you use web security expressions in web.xml? Give an example.
To use web security expressions, you would first need to set the use-expressions attribute in the
<http> element to true. Next, the access attributes of the
<intercept-url> elements is configured to contain Spring EL expressions. For example, the expression used to make the endpoint
/admin accessible to users who have the role “admin” and whose IP address matches a local subnet is:
<http use-expressions="true"> <intercept-url pattern="/admin*" access="hasRole('admin') and hasIpAddress('192.168.1.0')"/> </http>
What is the difference between isAuthenticated() and isFullyAuthenticated()?
isFullyAuthenticated() returns true only if the user has been authenticated using their credentials. It returns false for a remember-me user or an anonymous user.
IsAuthenticated() returns true if the user is not an anonymous user even if the user was authenticated based on a remember-me authentication method.
What is the difference between ROLE_USER and ROLE_ANONYMOUS while configuring intercept url?
ROLE_ANONYMOUS is enabled by default. It is the role assigned to an anonymous user when a configuration uses the “anonymous authentication” filter.
ROLE_USER has meaning, only if you assign this role to your users after authenticating.
What is CSRF? Why should you disable CSRF in Spring security?
CSRF stands for Cross-Site Request Forgery and is also known as one-click attack. It is a type of malicious exploit of a website which tricks the end users to send unauthorised commands to the web application to which the user is authenticated. To prevent this any requests coming to the web-app from any other domains are blocked. However, this problem can also be solved by sending a unique token to the request which has been generated and is stored in the http session, which, any attacker will find hard to duplicate.
Spring security provides the capability to auto generate and validate such a token. Hence, CSRF can be disabled in the http security configuration. Also, CSRF protection can be disabled for services that will be entirely consumed by non-browser clients since CSRF attack is not relevant unless a user is accessing the app using a browser.