Top 27 Spring Security Interview Questions Answers for Java Developers

Hello guys, if you are preparing for Java and Spring Developer interview then you should prepare about Spring Security. Since Security is an important topic and Spring security is the most popular framework to implement security in Java web applications, there is always a few questions based upon Spring Security in Java developer interviews. In the past, I have shared Spring Boot questionsSpring Data JPA Question, Spring Cloud Questions, and Microservices Interview Questions and in this article, I will share 20 popular Spring security questions for practice. I have also shared answers so that you can revise key Spring security concepts quickly but if you think that you need more preparation on certain topic then you can also checkout this list of best Spring Security courses where I have shared online courses to learn Spring security in depth. 

Adequately preparing for an interview is always a very important thing for anyone going for an interview to do. You cannot fail to prepare and then expect to get good results at the end because proper preparation goes hand in hand with great results. 

An interview can turn around your life so you have to treat it with the seriousness it deserves. Just imagine getting into an interview room and immediately seeing the interview panel, you realize that you are not ready at all for the interview. 

Will you run away or will you face the panel? To save yourself from such an embarrassment, you only have to do one thing and that is to get ready.

Getting ready is not just saying to yourself you are ready or telling your friends that you are ready but it entails you making a step of finding out the types of questions that are usually asked in that particular type of interview.

Once you know the kind of questions commonly asked, you will be a step higher and it will end up being an added advantage to you on the day of the interview. On my part, I have keenly thought about you and have therefore researched and compiled questions that you will not miss to find in a Spring Security interview.

27 Spring Security Interview Questions with Answers for Experienced Java Developers

Here are the 20 Spring security questions you can prepare to do well on Spring Developer interview. I have tried to covered important Spring security concepts through these questions but if you think something is missing, feel free to suggest ion comments. If you have a Spring security question whose answer you don't know, feel free to share in comments and I will try to answer. 

1. What is Spring Security?
Answer: Spring Security is basically a powerful authentication and access control framework. It is highly customizable and it mainly focuses on the provision of both authentication and authorization to Java applications.

2. What are the modules of the Spring framework?
Answer: the Spring framework has four modules as follows:
  • Test
  • Data Access
  • AOP
  • Web

3. What are some of the predefined filters used in spring security?
Answer: some of the predefined filters according to the order in which they occur are as follows
  • SecurityContextPersistenceFilter – it stores the SecurityContext contents between HTTP requests.
  • ConcurrentSessionFilter – responsibe for handling concurrent sessions.
  • UsernamePasswordAuthenticationFilter – it is the most popular authentication filter.
  • ExceptionTranslationFilter – it is responsible for handling exceptions thrown by the security interceptors.
  • FilterSecurityInterceptor – it secures HTTP resources.

Top 20 Spring Security Interview Questions with Answers

4. What rules and restrictions do you have to follow in order for DelegatingFilterProxy to work as required?
  • The target bean must implement the javax.servlet.Filter interface.
  • Declaring delegating filter proxy to your web.xml as a filter is a must.
  • Filter-name element and target bean must have the same name.

5. What is the security context?
Answer: security context is defined as an interface in the Spring Security framework that defines the minimum security information that is associated with the current thread of execution.

Spring security interview questions with answers


6. What is PasswordEncoder in Spring Security?
Answer: it is a Spring security interface that provides password encoding or password hashing.

7. What are some of the essential features of Spring Security?
Answer: some of the essential features of Spring Security include:
  • It supports authentication and authorization in a very organized, comprehensive and flexible manner.
  • It integrates with Servlet API.
  • It provides optional integration with Spring Web MVC.
  • Facilitates detection and prevention of attacks.

8. What is ProviderManager in Spring Security?

Answer: ProviderManager is basically the default implementation of AuthenticationManager.

9. What is JWT?
Answer: JWT (JSON Web Tokens) are tokens which are generated by a server when user authentication takes place in a web application and thereafter sent to the client. Here is a nice diagram which explains clearly what is JSON Web Token and parts of JWT Token:

what is JSON Web Token and parts of JWT Token


10. Why do you need the Intercept-url?
Answer: Intercept-url is used to define the set of URL patterns that the application is interested in to as well configure how they should be handled.

11. How many user roles are there in Spring Security?
Answer: You can define as many user roles as you want in Spring security. For examples an e-commerce application can have following roles
  • Tellers
  • Supervisors
  • Plain Users

12. What are the security layers in Spring Security framework?
  • Authentication
  • Web request security
  • Service layer and domain object security

13. In which security annotation is Spel used?
You can use Spring expression or Spel in following annotations
  • @PostFilter
  • @PreAuthorize
  • @PostAuthorize
  • @PreFilter

14. What is a Principal in Spring Security?
Answer: principal refers to the user who is currently logged in. Spring security allows you method to access security principle so that you know their access for authorizing page access.

15. What is salting? What is password hashing?
Answer: salting is the process of combining random data and a password before password hashing. On the other hand, password hashing is the process of storing encrypted passwords in a database. Here is a nice diagram which explains salting and how to use salted password in Spring and Java:

What is salting? What is password hashing?


16. What are the types of advice in AOP?
Answer:  Spring Security is a cross cutting concern, so it is implemented using Spring AOP. It provides multiple options for authorization as well as authentication. Following are the common types of advice available on AOP
  • After Advice
  • Before Advice
  • Throws Advice
  • Around Advice
  • After Returning Advice

17. What are the ORM’s supported by Spring?
  • JPA (Java Persistence API)
  • Hibernate
  • JDO (Java Data Objects)
  • iBatis
  • TopLink

18. What is mutual authentication?
Answer: mutual authentication is a process where both entities in a communications link validate each other. It is also known as two-way authentication.

19. What is the work of @secured and @rolesallowed annotation in Spring Security?
Answer: both of these annotations provide method level security into Spring Beans. The difference between the two is that @Secured is a Spring Security annotation from version 2.0 going forward while @RolesAllowed is JSR 250 annotation.

20. Why does application go in endless loop when you try to login?
Answer: this only happens when login page is a secured resource. Ordinarily, login page should not be secured but instead marked as ROLE_ANONYMOUS.

20 Spring Security Interview Questions With Answers

21. @EnableGlobalMethodSecurity annotation is used in Spring Security to secure which layer?
You can use EnableGlobalMethodSecurity annotation to secure your Service layer. From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework’s original @Secured annotation. From 3.0 you can also make use of new expression-based annotations.

22. What is Authentication and Authorization in spring Security? which comes first?
Authentication is process of validating the user who he claims to be. Once the person is authenticated, he is allowed to perform certain actions based on his role, which is authorization. This means authentication comes first.

23. In Spring Security, what is the name of the class retrieving the authentication information from the database for a given username?
In Spring Security, UserDetailsService is used by DaoAuthenticationProvider for retrieving a username, password, and other attributes for authenticating with a username and password. Spring Security provides in-memory and JDBC implementations of UserDetailsService. You can define custom authentication by exposing a custom UserDetailsService as a bean

24. In Spring Security, which class holds the information regarding high level user permissions?
In spring Security, GrantedSecuirty class is an authority that is granted to the principal on the Authentication (i.e. roles, scopes, etc.)

25. In Spring Security, which Servlet Filter intercept all the incoming requests sent to an application?
Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the Servlet container’s lifecycle and Spring’s ApplicationContext. The Servlet container allows registering Filters using its own standards, but it is not aware of Spring defined Beans. DelegatingFilterProxy can be registered via standard Servlet container mechanisms, but delegate all the work to a Spring Bean that implements Filter.

26. Which class holds user information such as the username and password before Authentication in Spring Security?
In Spring Security, UserDetails is returned by the UserDetailsService. The DaoAuthenticationProvider validates the UserDetails and then returns an Authentication that has a principal that is the UserDetails returned by the configured UserDetailsService

27. What are authentication mechanisms provided by Spring Security?  

Spring Security provides the following authentication mechanisms:
  • Username and Password,
  • OAuth 2.0, 
  • SAML 2.0, 
  • CAS, 
  • Remember Me, 
  • JAAS Authentication, 
  • OpenID, 
  • Pre-Authentication Scenarios 
  • and X509 Authentication

That's all about the 27 Spring Security Interview Questions with Answers for experienced Java developers. These questions are good for Java developer with experience 1 to 5 years who have worked in Spring Framework and implemented authentication and authorization using Spring Security.

Spring security is a very interesting area or subject that you will enjoy answering the questions during the interview if at all you have gone through the mentioned questions very well. If you have not mastered all the above questions, please take your time and go through the questions once again and am sure you will be able to see that these questions are just like any other questions and you can answer them very easily provided you are confident enough before the interviewing panel.

Always remember that your confidence during the interview day depends on how well you have prepared yourself. Don’t shift your focus to anything else but keep on internalizing the questions and answers and you will surely be proud of yourself at the end.

Other Java and Spring Tutorials and Questions you may like
  • 5 courses to learn Spring Boot and Spring Cloud ( courses)
  • 15 Spring Data JPA Interview Questions with answers (questions)
  • 15 Spring Cloud Interview Questions for Java developers (answers)
  • 15 Microservices Interview questions (answers)
  • 5 Courses to learn Spring Cloud and Microservices (courses)
  • 10 Advanced Spring Boot Courses for Java Programmers (courses)
  • 5 Course to Master Spring Boot online (courses)
  • 10 Tools Java Developers use in their day-to-day life (tools)
  • Top 5 Books and Courses to learn RESTful Web Service (books)
  • 13 Spring Boot Actuator questions with answers (Actuator)
  • 3 ways to change Tomcat port in Spring Boot (tutorial)
  • 5 Spring Boot Annotations for full-stack Java developers (tutorial)
  • 10 Spring MVC annotations Java developers should learn (annotations)
  • 20 Kubernetes Interview Questions with Answers (ks8s questions)
  • Top 5 Courses to learn Microservices in Java? (courses)
  • 10 Courses to learn Spring Security with OAuth 2 (courses)
  • 3 Best Practices Java Programmers can learn from Spring (best practices)
Thanks for reading this article so far; if you find these Spring Security interview questions and answers useful, please share them with your friends and colleagues.

P. S. - If you want to learn about Spring Security and look for best Spring Security online course, I also recommend you join these best Spring Security online courses on Udemy and Baeldung. It's one of the best free courses to learn Spring Boot for Java developers. 

No comments:

Post a Comment

Feel free to comment, ask questions if you have any doubt.