Frequently asked Spring Security Interview Questions (2020)






Most Frequently asked Spring Security Interview Questions (2020)

In this post, questions of Spring Security with JWT and OAuth Interviews will be answered for Experienced and Freshers. We're trying to share our experience and learn how to help you make progress in your career.

Spring Boot Security Interview Questions:

  1. Spring Security Interview Questions
  2. OAuth2.0 Interview Questions
  3. JWT Interview Questions
  4. SAML Interview Questions

Q: What is Spring Security?
Ans:

Spring Security is a framework that focuses on providing authentication, authorization, and protection against common attacks.
Spring Security enables a programmer to impose security restrictions to Spring-framework–based Web applications through JEE components. In short, it is a library that can be used, extended to customize as per the programmer's needs.

Q: Why Security is needed in application?
Ans:

Security of applications is very important because now a days applications are often accessible over multiple networks and connected to the cloud, growing vulnerabilities to security threats and breaches.

Q: What is Delegating Filter Proxy?
Ans:

Spring makes use of the DelegatingFilterProxy for implementing security mechanisms.

It is a Proxy for standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface. Its the starting point in the springSecurityFilterChain which instantiates the Spring Security filters according to the Spring configuration.
Some of the features of Spring Security are:

  • Support for both Authentication and Authorization
  • Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
  • Servlet API integration Optional integration with Spring Web MVC

Q: What is Security Context and Security Context Holder in Spring Security?
Ans:

The SecurityContext and SecurityContextHolder are two fundamental classes of Spring Security. The SecurityContext is used to store the details of the currently authenticated user, also known as a principle.

Q: What is Basic Authentication?
Ans:

Basic Authentication is a way to provide authentication by passing username and password as part of our request, using HTTP [Authorization] header to allows user to access the resource.

Syntax of basic Authentication

Value = username:password
Encoded Value =  base64(Value)
Authorization Value = Basic <Encoded Value>
//Example: Authorization: Basic VGVzdFVzZXI6dGVzdDEyMw==
//Decode it'll give back the original username:password TestUser:test123

Q: How to implement Spring Boot + Basic Authentication?
Ans:

You can implement Basic Authentication by following steps:

  • Create Spring boot project from Spring Initializr
  • Add spring-boot-starter-security maven dependency in pom.xml.
  • Configure the user and password in application.yml
  • Configure Spring Security by extending WebSecurityConfigurerAdapter to enable the basic authentication for our REST API. Override configure method, to use HTTP basic authentication.
  • Create some simple rest end point to test the basic authentication, which can configure in the above step.
  • Test above created Rest end point.
Refer Spring Boot Basic Authentication Example implemented as per above steps.

Checkout our related posts :

Q: What are the drawbacks of using Basic Authentication?
Ans:

  • Basic Authentication uses base64 encoding(not encryption) for generating cryptographic string which contains the information of username and password. Basic Authentication is not secured, as it can be easily decoded as shown below.
  • Decode credential: You can see, if we copy Authorization: Basic VGVzdFVzZXI6dGVzdDEyMw== from output generated from the
  • Using Spring Boot Basic Authentication Example, we have generated below base64 Authorization hearder, as shown below we can decode the credential, which will give credential in the form of user:password, which is not secured.
  • There is no explicit HTTP basic authentication logout. You must exit the browser to force logout.

Q: What is Digest Authentication?
Ans:

Digest Authentication communicates credentials in an encrypted form by applying a hash function to : the username, the password, the nonce value provided by a server, the HTTP method and the requested URI.

Q: Why to use Digest Authentication over Basic Authentication?
Ans:

  • Basic Authentication uses base64 encoding(not encryption) for generating cryptographic string which contains the information of username and password. Basic Authentication is not secured, as it can be easily decoded as shown below.

    Syntax of basic Authentication

    Value = username:password
    Encoded Value =  base64(Value)
    Authorization Value = Basic <Encoded Value>
    //Example: Authorization: Basic VGVzdFVzZXI6dGVzdDEyMw==
    //Decode it'll give back the original username:password TestUser:test123

    Digest Authentication uses the hashing technique to generate the cryptographic result, which is more complex.

    RFC 2617 - Digest Access Authentication Syntax

    Hash1=MD5(username:realm:password)
    Hash2=MD5(method:digestURI)
    response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
    
    //Example , this got generated by running this example
    Authorization: Digest username="TestAdmin", realm="admin-digest-realm",
    nonce="MTYwMDEwMTUyMDM4OToxM2M1Y2I4MGFjMjk4OGI1ODQzZjc3NDUzOGFlMjZjYw==",
    uri="/admin/hello?name=User", response="2f080edbec53be2bdf3853d477e4a543",
    qop=auth, nc=00000002, cnonce="11ecd9bf947dbcf4"
    

Q: How to implement Spring Boot + Digest Authentication?
Ans:

You can implement Digest Authentication by following steps:

  • Create Spring boot project from Spring Initializr
  • Add spring-boot-starter-security maven dependency in pom.xml.
  • Create Spring Security Configuration class by extending WebSecurityConfigurerAdapter.
  • Configure the user and password in Spring Security Configuration Class.
  • Configure DigestAuthenticationFilter in Spring Security Configuration Class, and inject userDetailsService and DigestAuthenticationEntryPoint
  • Create some simple rest end point to test the basic authentication, which can configure in the above step.
  • Test above created Rest end point.
Refer Digest Authentication Example implemented as per above steps.

Q: How to get the current logged-in username in Spring Security?
Ans:

The object returned by getContext() is an instance of the SecurityContext interface. Normally, the getPrincipal() method returns the UserDetails object in Spring Security that contains all the details of the user that is currently logged in.


Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

if (principal instanceof UserDetails) {
  String logged_in_username = ((UserDetails)principal).getUsername();
} else {
  String logged_in_username = principal.toString();
}

Q: What is ssl and why it is used?
Ans:

Secure Sockets Layer (SSL) was the most commonly used cryptographic protocol to provide security over internet communications.

SSL provides a secure channel between two machines or devices running over the internet or an internal network. A common example is when SSL is used to secure/protect communication between a web browser and a web server. This changes the address of the website from HTTP to HTTPS, basically 'S' stands for 'Secure'.

Q: How do I know a Website is Secure with SSL?
Ans:

Take a look at the URL of the website. If it starts with "https" instead of "http" it means that the site is protected using an SSL certificate (S stands for secure). SSL certificates secure all of your data as it is transferred from your browser to the web server.

Q: Why do we need SSL certificate for website?
Ans:

The SSL certificate encrypts data that goes back and forth from the user's device to the target website. Any time a user enters information on your site, SSL ensures that they can navigate securely from their browser to your web server.

Q: What happens if we don't have an SSL?
Ans:

If you do not have an SSL certificate, a secure connection cannot be established, which means that your website information will not be digitally connected to a cryptographic key. The SSL Certificate includes the following information:

  • Name of the holder
  • Serial number
  • Expiration date

Q: Can we create our own SSl Certificate to enable HTTPS for website?
Ans:

Yes, we can create SSL certificate by using keytool. SSL certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection.

Follow the below steps to enable HTTPS for website:

  1. Generate an SSL certificate in a keystore.
  2. Verify the keystore content.
  3. Convert a JKS keystore into PKCS12.
  4. Configuring/Enable SSL in Spring Boot.
  5. Configure Spring Security to require HTTPS requests.
Refer Enable https (http+ssl) Example implemented as per above steps.

Q: What is PKCS12?
Ans:

PKCS12 Public Key Cryptographic Standards is a password-protected format that can include many certificates and keys, it is a format mainly used in the industry.

Q: What is JKS?
Ans:

Java KeyStore is identical to PKCS12, it is a proprietary format limited to the Java environment.

Q: Difference between a Java Keystore JKS and PKCS12?
Ans:

The default keystore format used was JKS until Java 8. However, now since Java 9, PKCS12 has been the default keystore format.
Another main difference between JKS and PKCS12 is that JKS is a Java-specific format, while PKCS12 stores encrypted private keys and certificates in a standardized and language-neutral way.





















































































Recommendation for Top Popular Post :