1) How does Spring Security integrate with OAuth2 for authorization

Spring Security integrates with OAuth2 for authorization by acting as a client that can request access
tokens from an OAuth2 provider.

It uses these tokens to authenticate and authorize users to access protected resources. When a user
tries to access a resource, Spring Security redirects them to the OAuth2 provider for login.

After successful authentication, the provider issues an access token to Spring Security, which it then
uses to verify the user's permissions and grant access to the resource. This integration enables
seamless and secure access control in applications.

2) Explain Cross-Origin Resource Sharing (CORS) and how you would configure it in a Spring Boot
application.

Cross-Origin Resource Sharing allows a website to safely access resources from another website. In
Spring Boot, we can set up CORS by adding @CrossOrigin to controllers or by configuring it globally.

This tells our application which other websites can use its resources, what type of requests they can
make, and what headers they can use.

This way, We control who can interact with our application, keeping it secure while letting it
communicate across different web domains.

3) Explain SecurityContext and SecurityContext Holder in Spring security.

In Spring Security, the SecurityContext is where details about the currently authenticated user are
stored, like user details and granted authorities.

The SecurityContextHolder is a helper class that holds the SecurityContext. It's like a container or
storage space that keeps track of the authentication information of the current user throughout the
application.

This makes it easy to access the user's details anywhere in the application, ensuring that security
decisions can be made based on the user's authentication status and roles.

4) What do you mean by OAuth2 Authorization code grant type

The OAuth2 Authorization Code grant type is a secure way to authenticate and authorize users. It
works by directing the user to a login page managed by the OAuth2 provider (like Google or
Facebook).

After logging in, the user is given a code.

This code is then exchanged for an access token by the application's backend server. This access
token is used to access the user's data securely.

This process keeps user credentials safe, as the actual token exchange happens away from the user's
device, minimizing the risk of sensitive information being exposed.

5) How does Spring Security protect against Cross-Site Request Forgery (CSRF) attacks, and under
what circumstances might you disable CSRF protection?

Spring Security protects against CSRF attacks by generating unique tokens for each session and
requiring that each request from the client includes this token.

GenZ Career on YouTube

Subscribe for Interview Preparation
This ensures the request is from the authenticated user, not a malicious site. However, CSRF
protection might be disabled for APIs meant to be accessed by non-browser clients, like mobile apps
or other back-end services, where the risk of CSRF is low and tokens can't be easily managed.

Disabling CSRF in these cases simplifies the integration with these services without significantly
compromising security.

6) How can you implement method-level security in a Spring application, and what are the
advantages of this approach?

To implement method-level security in a Spring application, I can use annotations like @PreAuthorize
or @Secured on individual methods. These annotations check if the user has the required
permissions or roles before executing the method.

The advantage of this approach is that it provides fine-grained control over who can access specific
functionalities within the application. This means I can restrict sensitive operations at the method
level, ensuring that only authorized users can perform certain actions, which enhances the overall
security of the application.

7) Your organization uses an API Gateway to route requests to various microservices. How would
you leverage Spring Security to authenticate and authorize requests at the gateway level before
forwarding them to downstream services?

At the API Gateway, I can use Spring Security to check if requests are allowed before sending them to
other services.

By checking tokens or using OAuth2 at the gateway, I make sure only valid and authorized requests
get through.

This means each service doesn't have to check security separately, making the whole system simpler
and safer.

8) How can you use Spring Expression Language (SpEL) for finegrained access control?

I can use Spring Expression Language (SpEL) for fine-grained access control by embedding it in
security annotations like @PreAuthorize. For example, I can write expressions that check if a user has
specific roles, and permissions, or even match against method parameters to decide access.

This allows for very detailed and flexible security rules directly in the code, letting me tailor access
rights precisely to the user's context and the operation being performed. Using SpEL in this way helps
in creating dynamic and complex security conditions without cluttering the business logic.

9) In your application, there are two types of users: ADMIN and USER. Each type should have
access to different sets of API endpoints. Explain how you would configure Spring Security to
enforce these access controls based on the user's role.

In the application, to control who can access which API endpoints, I can use Spring Security to set
rules based on user roles. I can configure it so that only ADMIN users can reach adminrelated
endpoints and USER users can access user-related endpoints.

This is done by defining patterns in the security settings, where I link certain URL paths with specific
roles, like making all paths starting with "/admin" accessible only to users with the ADMIN role, and
paths starting with "/user" accessible to those with the USER role. This way, each type of user gets
access to the right parts of the application.
GenZ Career on YouTube
Subscribe for Interview Preparation
10) What do you mean by digest authentication?

Digest authentication is a way to check who is trying to access something online without sending
their actual password over the internet. Instead, it sends a hashed (scrambled) version of the
password along with some other information.

When the server gets this scrambled password, it compares it with its own scrambled version. If they
match, it means the user's identity is verified, and access is granted. This method is more secure
because the real password is never exposed during the check.

11) What is the best practice for storing passwords in a Spring Security application?

The best practice for storing passwords in a Spring Security application is to never store plaintext
passwords. Instead, passwords should be hashed using a strong, one-way hashing algorithm like
bcrypt, which Spring Security supports.

Hashing converts the password into a unique, fixed-size string that cannot be easily reversed.
Additionally, using a salt (a random value added to the password before hashing) makes the hash
even more secure by preventing attacks like rainbow table lookups. This way, even if the password
data is compromised, the actual passwords remain protected.

12) Explain the purpose of the Spring Security filter chain and How would you add or customize a
filter within the Spring Security filter chain

The Spring Security filter chain is a series of filters that handle authentication and authorization in a
Spring application. Each filter has a specific task, like checking login credentials or verifying if a user
has access to certain resources.

To add or customize a filter, I can define a new filter class and add it to the filter chain in the security
configuration. This is done by using the addFilterBefore, addFilterAfter, or addFilterAt methods,
specifying where in the chain the new filter should be placed, to ensure it's executed at the correct
point during the security processing.

13) How does Spring Security handle session management, and what are the options for handling
concurrent sessions

Spring Security handles session management by creating a session for the user upon successful
authentication. For managing concurrent sessions, it provides options to control how many sessions
a user can have at once and what happens when the limit is exceeded.

For example, I can configure it to prevent new logins if the user already has an active session or to
end the oldest session. This is managed through the session management settings in the Spring
Security configuration, where I can set policies like maximumSessions to limit the number of
concurrent sessions per user.

14) You've encountered an issue where users are being unexpectedly denied access to a resource
they should have access to. Describe your approach to debugging this issue in a Spring Security-
enabled application.

To debug access issues in a Spring Security-enabled application, I would start by checking the security
configuration to ensure the correct roles and permissions are set for the resource. Next, I would
examine the logs to see if Spring Security is throwing any specific errors or denying access for a
particular reason.

GenZ Career on YouTube

Subscribe for Interview Preparation
I might also enable debug logging for Spring Security to get more detailed information about the
security decisions being made. Additionally, verifying the user's assigned roles and the methodlevel
security annotations, if any, would help identify if the access rules are correctly applied.

15) Describe how to implement dynamic access-control policies in Spring Security.

To implement dynamic access-control policies in Spring Security, We can use the Spring Expression
Language (SpEL) within the @PreAuthorize or @PostAuthorize annotations to define complex,
runtime-evaluated conditions for access control.

This allows the access rules to be determined based on the current state of the application, user
properties, or method parameters. For example, by fetching roles or permissions from a database at
runtime, we can dynamically decide whether a user can access a specific method or resource,
allowing for more flexible and context-sensitive security policies.

16) How do you test security configurations in Spring applications?

To test security configurations in Spring applications, I use Spring Security's testing support, which
includes annotations like @WithMockUser or @WithAnonymousUser to simulate different
authentication scenarios.

I also write unit and integration tests that make requests to secured endpoints and verify the
responses based on various user roles and permissions.

By using MockMvc in Spring MVC tests, I can assert that the security rules are correctly enforced,
checking if the access is granted or denied as expected. This ensures that the security configuration is
working properly and protecting the application as intended.

17) Explain salting and its usage in spring security

Salting in Spring Security means adding a random piece of data to a password before turning it into a
hash, a kind of scrambled version.

This makes every user's password hash unique, even if the actual passwords are the same. It helps
stop attackers from guessing passwords using known hash lists.

When a password needs to be checked, it's combined with its salt again, hashed, and then compared
to the stored hash to see if the password is correct. This way, the security of user passwords is
greatly increased.

18) How can you use Spring Expression Language (SpEL) for finegrained access control?

I can use Spring Expression Language (SpEL) for fine-grained access control by applying it in
annotations like @PreAuthorize in Spring Security.

With SpEL, I can create complex expressions to evaluate the user's context, such as roles,
permissions, and even specific method parameters, to decide access rights.

This allows for detailed control over who can access what in the application, making the security
checks more dynamic and tailored to the specific scenario, ensuring that users only access resources
and actions they are authorized for.

19) Explain what is AuthenticationManager and ProviderManager in Spring security.

GenZ Career on YouTube

Subscribe for Interview Preparation
The AuthenticationManager in Spring Security is like a checkpoint that checks if user login details are
correct. The ProviderManager is a specific type of this checkpoint that uses a list of different ways
(providers) to check the login details.

It goes through each way to find one that can confirm the user’s details are valid. This setup lets
Spring Security handle different login methods, like checking against a database or an online service,
making sure the user is who they say they are.

20) When a user tries to access a resource without the necessary permissions, you want to redirect
them to a custom "access denied" page instead of displaying the default Spring Security error
message. How would you achieve this in your Spring Security configuration?

To redirect users to a custom "access denied" page in Spring Security, I would configure the
ExceptionTranslationFilter within my security settings.

Specifically, I would set a custom access denied handler using the accessDeniedHandler method,
providing it with a URL to my custom page.

This handler intercepts the AccessDeniedException and redirects the user to the specified page,
allowing for a more user-friendly error experience. By customizing the access denied response, I can
provide clearer information or instructions to the user, improving the overall usability of the
application.

GenZ Career on YouTube

Subscribe for Interview Preparation