Tuesday, October 17, 2017

Spring Security Interview Questions and Answers

In this post we will learn frequently asked Spring Security Interview Questions. Since every programmer must aware to give security for their software while they developing projects. Spring Security gives highly powerful and customizable authentication and access-control framework. It provides Authentication and Authorization mechanism. Now we will see some important Spring Security Interview Questions

1)What is Spring Security?

Spring security is a project under spring framework umbrella, which provides support for security requirements of enterprise Java projects. Spring Security formerly known as aegis security provides out of box support for creating login screen, remember me cookie support, securing URL, authentication provider to authenticate user from database, LDAP and in memory, concurrent active session management support and many more. In order to use Spring security in a Spring MVC based project, you need to include spring-security.jar and configure it in application-Context-security.xml file, you can name it whatever you want, but make sure to supply this to ContextLoaderListener, which is responsible for creating Spring context and initializing dispatcher servlet.


2) Why do you need method security? What type of object is typically secured at the method level?

Ans: Spring Security uses AOP for security at the method level

  • annotations based on Spring annotations or JSR-250 annotations
  • Java configuration to activate detection of annotations
  • It typically secure your services
  • Do not access repositories directly, bypasses security (and transactions) 
3) Will Spring Security secures all the Applications?

Ans: No, in web applications, we need some more things to secure full application to save from hackers.


4) How is Security mechanism implemented using Spring?
Ans:  Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications. Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements. 

Spring makes use of the DelegatingFilterProxy for implementing security mechanisms. It is a Proxy for standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface. Its the starting point in the springSecurityFilterChain which instantiates the Spring Security filters according to the Spring configuration
Some of the features of Spring Security are: 
  1. Comprehensive and extensible support for both Authentication and Authorization
  2. Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
  3. Servlet API integration Optional integration with Spring Web MVC

5)How to enable Spring Security in Web Application?

You can enable the Spring security by adding the Filter org.springframework.web.filter.DelegatingFilterProxy in your application’s web.xml.
6)What is the delegating filter proxy?
Spring’s DelegatingFilterProxy provides the link between web.xml and the application context. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces.

Example:
filter>
<filter-name>myFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

7)What is the security filter chain? 
In Spring Security you have a lot of filters for web application and these filters are Spring Beans. Each Spring security filter bean that require in your application you have to declare in your application context file and as we know that filters would be applied to application only when they would be declared on web.xml. Now DelegatingFilterProxy comes into picture for delegating the request to fillter which declared into application context file by adding a corresponding DelegatingFilterProxy entry to web.xml for each filter and we have to make sure about ordered, it should be define correctly, but this would be cumbersome and would clutter up the web.xml file quickly if you have a lot of filters. FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans.

Example:

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
 <list>
 <sec:filter-chain pattern="/restful/**" filters="
  securityContextPersistenceFilterWithASCFalse,
  basicAuthenticationFilter,
  exceptionTranslationFilter,
  filterSecurityInterceptor" />
 <sec:filter-chain pattern="/**" filters="
  securityContextPersistenceFilterWithASCTrue,
  formLoginFilter,
  exceptionTranslationFilter,
  filterSecurityInterceptor" />
 </list>
</constructor-arg>
</bean>

8)From the applications perspective, how many user roles needed in spring security?
Answer:
Three user roles are there in spring:

Supervisors
Tellers
Plain Users

9) How to configure Spring Security with jdbc configuration?
Ans: 
 @Autowired
private DataSource dataSource;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) 
  throws Exception 
{
auth.jdbcAuthentication().dataSource(dataSource)
      .withDefaultSchema()
      .withUser("user").password("password").roles("USER")
      .and()
      .withUser("admin").password("password").roles("USER", "ADMIN");

10)What is authentication and authorization? Which must come first?

  • Authentication – Establishing that a principal’s credentials are valid
  • Authorization – Deciding if a principal is allowed to perform an action
Authentication comes first before Authorization because authorization process needs principal object with authority votes to decide user allow to perform a action for secured resource.

11)Does Spring Security support password hashing? What is salting?

Ans: Yes, Spring Security provides support for password hashing. The salt is used to prevent dictionary attacks against the key in the event your encrypted data is compromised.

12)What's the difference between @Secured and @PreAuthorize in spring security?
Ans:  if you wanted to do something like access the method only if the user has Role1 and Role2 the you would have to use @PreAuthorize @PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')") Using @Secured({"role1", "role2"}) is treated as an OR 

That is all about Spring Security Interview Questions subscribe me for latest updates.



No comments:

Post a Comment

High Paying Jobs after Learning Python

Everyone knows Python is one of the most demand Programming Language. It is a computer programming language to build web applications and sc...