Spring Security is essential for securing Java applications. This guide covers 30 interview questions from basic to advanced, perfect for freshers, 1-3 years, and 3-6 years experienced candidates preparing for roles at companies like Amazon, Zoho, and Atlassian.
Basic Spring Security Interview Questions
1. What is Spring Security?
Spring Security is a powerful framework that provides comprehensive security services for Java applications, focusing on authentication (verifying who you are) and authorization (determining what you can do).[1][2][5]
2. What are the key features of Spring Security?
Key features include authentication support, authorization, protection against attacks like CSRF and session fixation, integration with Servlet API, and method-level security.[2][5][6]
3. What is the difference between authentication and authorization in Spring Security?
Authentication verifies user identity (like checking username/password), while authorization determines access rights (like role-based permissions).[2][3][5]
4. What types of authentication does Spring Security support?
Spring Security supports HTTP Basic, HTTP Digest, Form-based, OAuth2, LDAP, and persistent-login authentication.[1]
5. What is the Security Filter Chain in Spring Security?
The Security Filter Chain is a series of filters that intercept HTTP requests to handle authentication, authorization, and security concerns before reaching the application.[3]
6. How does Spring Security protect against common web attacks?
It prevents CSRF with tokens, protects against session fixation by changing session IDs, and mitigates XSS through output encoding.[2][4]
7. What is CSRF and how does Spring Security handle it?
CSRF (Cross-Site Request Forgery) tricks users into unwanted actions. Spring Security prevents it using CSRF tokens in forms and headers.[2][3][4]
8. What is password encoding in Spring Security?
Password encoding hashes passwords before storage using encoders like BCryptPasswordEncoder to protect against rainbow table attacks.[3][4]
9. What is salting in Spring Security?
Salting adds random data to passwords before hashing, making identical passwords produce different hashes and preventing dictionary attacks.[6]
10. How do you enable Spring Security in a Spring Boot application?
Add the spring-boot-starter-security dependency and Spring Security auto-configures basic security.[2]
Intermediate Spring Security Interview Questions
11. What is UserDetailsService in Spring Security?
UserDetailsService loads user-specific data during authentication, returning a UserDetails object with username, password, and authorities.[3]
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) {
// Load user from database
return new User(username, password, authorities);
}
}
12. Explain the AuthenticationManager in Spring Security.
AuthenticationManager processes authentication requests using one or more AuthenticationProvider instances to verify credentials.[3]
13. What is SecurityContext and how does it work?
SecurityContext holds authentication details for the current request thread, accessible via SecurityContextHolder.[3]
14. How does HTTP Basic Authentication work in Spring Security?
Client sends Base64-encoded username:password in Authorization header; server decodes and validates against user store.[1]
15. What are the disadvantages of Basic Authentication?
Credentials sent with every request (base64 is not encrypted), vulnerable to interception without HTTPS, no built-in logout.[1]
16. What is Digest Authentication in Spring Security?
Digest uses hashed credentials (challenge-response) instead of sending plaintext, more secure than Basic but still requires HTTPS for full protection.[1]
17. How do you configure role-based access in Spring Security?
Use <intercept-url> patterns or antMatchers().hasRole() to restrict URLs by roles like ROLE_USER or ROLE_ADMIN.[1]
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated());
return http.build();
}
}
18. What is method-level security in Spring Security?
Uses annotations like @PreAuthorize, @PostAuthorize on methods to enforce security at the method level instead of URL level.[3][4]
19. How do you implement @PreAuthorize annotation?
Enable with @EnableMethodSecurity, then use @PreAuthorize(“hasRole(‘ADMIN’)”) on controller/service methods.[4]
20. What is the difference between roles and authorities in Spring Security?
Roles are prefixed with “ROLE_” (like ROLE_USER), authorities are generic permissions (like READ). Spring treats roles as special authorities.[4]
Advanced Spring Security Interview Questions
21. What is JWT authentication in Spring Security?
JWT (JSON Web Token) is stateless authentication where tokens contain user claims, signed for verification without server-side sessions.[3][4]
22. How do you secure REST APIs with JWT in Spring Security?
Configure JwtAuthenticationFilter in filter chain, validate tokens with JwtDecoder, extract claims for authentication.[4]
private String extractUsername(String token) {
return extractAllClaims(token).getSubject();
}
public Claims extractAllClaims(String token) {
return Jwts.parserBuilder()
.setSigningKey(getSigningKey()).build()
.parseClaimsJws(token).getBody();
}
23. What is a Custom AuthenticationProvider?
Implements AuthenticationProvider to handle custom authentication logic, like multi-factor auth or external identity providers.[3]
24. How many filters are in the Spring Security filter chain?
Spring Security has 15+ filters ordered by @Order annotation, including UsernamePasswordAuthenticationFilter, CsrfFilter, etc.[1]
25. What is OAuth2 in Spring Security?
OAuth2 enables delegated authorization via access tokens from providers, supporting flows like authorization code and client credentials.[1][4]
26. How do you enable HTTPS in Spring Security?
Configure HttpSecurity.requiresChannel().requiresSecure() or set server.ssl properties in application.yml.[1]
27. What is mutual authentication (mTLS)?
Both client and server authenticate each other using certificates, configured via Spring Security’s X509 authentication.[1]
28. Scenario: At Zoho, how would you implement role-based and permission-based access control?
Use @PreAuthorize(“hasRole(‘ADMIN’)”) for roles and @PreAuthorize(“hasAuthority(‘READ_PRIVILEGE’)”) for granular permissions.[4]
29. Scenario: For a Flipkart microservices architecture, how do you secure services with Spring Security and JWT?
Gateway validates JWT, propagates token via headers; services use JwtAuthenticationToken for stateless auth and method security.[3][4]
30. How does Spring Security handle session fixation attacks?
By default, it changes session ID after successful login (session-fixation-protection) to prevent attackers from hijacking sessions.[2]
