4. Spring Security Flashcards
What is Spring Security?
Spring Security is a powerful and customizable authentication and access control framework for Java applications, particularly those built using the Spring framework.
True or False: Spring Security is only used for authentication.
False. Spring Security provides both authentication and authorization features.
What are the core components of Spring Security?
The core components of Spring Security include Authentication, Authorization, Security Context, Filters, and Security Interceptors.
Fill in the blank: Spring Security provides _____ for securing web applications.
authentication and authorization
What is the purpose of the SecurityContextHolder?
The SecurityContextHolder stores the security context, which contains the authentication details of the currently authenticated user.
What is a UserDetailsService?
UserDetailsService is an interface in Spring Security that is used to retrieve user-related data, typically for authentication purposes.
How can you secure a REST API using Spring Security?
You can secure a REST API using Spring Security by configuring HTTP security to require authentication for certain endpoints and using JWT or OAuth2 for token-based authentication.
What is CSRF and how does Spring Security handle it?
CSRF stands for Cross-Site Request Forgery. Spring Security provides built-in protection against CSRF attacks by requiring a CSRF token for state-changing requests.
What is the purpose of the @EnableWebSecurity annotation?
The @EnableWebSecurity annotation is used to enable Spring Security’s web security support and provide the Spring MVC integration.
What role does the AuthenticationManager play in Spring Security?
The AuthenticationManager is responsible for processing authentication requests and returning an Authentication object if the credentials are valid.
Multiple choice: Which of the following is a valid way to configure HTTP security in Spring Security? (A) Using XML configuration (B) Using Java configuration (C) Both A and B
C) Both A and B
What is the difference between Authentication and Authorization?
Authentication is the process of verifying the identity of a user, while Authorization determines what an authenticated user is allowed to do.
True or False: Spring Security supports method-level security.
True. Spring Security provides annotations like @PreAuthorize and @Secured for method-level security.
What is the role of a Filter in Spring Security?
Filters in Spring Security are used to intercept requests and responses, allowing for operations like authentication and authorization to occur.
What is the purpose of the @PreAuthorize annotation?
The @PreAuthorize annotation is used to specify method-level security by allowing access based on the evaluation of an expression.
Fill in the blank: Spring Security uses _____ to generate secure tokens for stateless authentication.
JWT (JSON Web Tokens)
What is a Security Filter Chain?
A Security Filter Chain is a sequence of filters that Spring Security applies to incoming requests, allowing for various security checks.
What is the role of the PasswordEncoder in Spring Security?
PasswordEncoder is an interface that provides methods for encoding and verifying passwords securely.
Multiple choice: Which of the following protocols can Spring Security support for OAuth? (A) OAuth 1.0 (B) OAuth 2.0 (C) Both A and B
B) OAuth 2.0
What is the purpose of the @Secured annotation?
The @Secured annotation is used to specify the roles that are allowed to execute a particular method.
True or False: Spring Security can be integrated with other frameworks like JPA and Hibernate.
True. Spring Security can be integrated with various frameworks to enhance security in applications.
What is the default login page provided by Spring Security?
The default login page provided by Spring Security is a simple HTML form that prompts for a username and password.
What is the use of the SecurityConfigurerAdapter?
SecurityConfigurerAdapter is a base class that allows developers to customize the security configuration by overriding methods.
Fill in the blank: In Spring Security, the _____ interface is used to represent the authentication token.
Authentication
What is the purpose of the Remember-Me feature in Spring Security?
The Remember-Me feature allows users to remain authenticated across sessions, even after closing and reopening the browser.
What are some common authentication mechanisms supported by Spring Security?
Common authentication mechanisms include form-based login, basic authentication, digest authentication, and token-based authentication.
What is the role of the @EnableGlobalMethodSecurity annotation?
The @EnableGlobalMethodSecurity annotation is used to enable method-level security annotations in a Spring application.
What is LDAP and how does Spring Security interact with it?
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing directory services. Spring Security can authenticate users against an LDAP server.
True or False: Spring Security can only be used with web applications.
False. Spring Security can be used with both web applications and non-web applications.
What is the purpose of the @PostAuthorize annotation?
The @PostAuthorize annotation is used for method-level security checks after a method execution has completed.
Fill in the blank: The _____ interface is used by Spring Security to represent the principal in the security context.
UserDetails
What is the purpose of the OAuth2ClientContext?
The OAuth2ClientContext holds the state of the OAuth2 client, including access tokens and refresh tokens.
What is the difference between Basic Authentication and Form-based Authentication?
Basic Authentication sends credentials as a Base64-encoded string in the HTTP header, while Form-based Authentication uses an HTML form to collect credentials.
What is the role of the AccessDecisionManager in Spring Security?
The AccessDecisionManager is responsible for making authorization decisions based on the user’s roles and permissions.
Multiple choice: Which of the following is NOT a part of Spring Security? (A) Authentication (B) Caching (C) Authorization
B) Caching
What is the purpose of the SecurityExpressionRoot class?
SecurityExpressionRoot provides access to security expressions that can be used in method security annotations.
Fill in the blank: Spring Security provides _____ to protect against session fixation attacks.
session management
What is a SecurityFilter?
A SecurityFilter is an interface that represents a single security filter in the Spring Security filter chain.
True or False: Spring Security is a standalone framework.
False. Spring Security is part of the larger Spring ecosystem.
What is the purpose of the @RolesAllowed annotation?
The @RolesAllowed annotation is used to specify which roles are allowed to access a particular method.
What is the role of the AuthenticationProvider in Spring Security?
The AuthenticationProvider is responsible for performing the actual authentication logic, such as validating user credentials.
Multiple choice: Which method is used to configure CORS in Spring Security? (A) configureCors() (B) configure(HttpSecurity http) (C) configureGlobal()
B) configure(HttpSecurity http)
What does the @EnableWebMvcSecurity annotation do?
The @EnableWebMvcSecurity annotation is deprecated. It was used to enable Spring Security’s web security configuration.
Fill in the blank: Spring Security can be configured using _____, Java configuration, or a mix of both.
XML
What is a custom filter in Spring Security?
A custom filter is a user-defined filter that can be added to the Spring Security filter chain to implement custom security logic.
What is the purpose of the AuthorizationServerConfigurerAdapter?
AuthorizationServerConfigurerAdapter is used to configure the OAuth2 authorization server settings in Spring Security.
What is the role of the ResourceServerConfigurerAdapter?
ResourceServerConfigurerAdapter is used to configure the resource server settings for OAuth2 in Spring Security.
True or False: Spring Security supports multi-factor authentication.
True. Spring Security can be configured to support multi-factor authentication.
What is the purpose of the OAuth2ResourceServerConfigurerAdapter?
OAuth2ResourceServerConfigurerAdapter is used to configure the resource server settings for OAuth2 resource access.
What is the role of the @RequestMapping annotation in Spring Security?
The @RequestMapping annotation is used to map HTTP requests to handler methods, which can be secured using Spring Security.
Fill in the blank: The _____ interface defines methods for handling authentication requests.
AuthenticationManager
What is the purpose of the OAuth2AuthorizationRequest?
OAuth2AuthorizationRequest represents the authorization request sent to the OAuth2 authorization server.
What does the @AuthenticationPrincipal annotation do?
The @AuthenticationPrincipal annotation is used to inject the current authenticated user’s principal into method parameters.
What is a SecurityEvent?
A SecurityEvent is an event published by Spring Security that indicates a security-related action, such as successful or failed authentication.
What is the purpose of the SecurityConfigurer interface?
SecurityConfigurer is an interface that provides methods for configuring security settings in a Spring application.
True or False: Spring Security allows for both HTTP and method-level security.
True. Spring Security provides mechanisms for securing both HTTP requests and method invocations.
What is the role of the HttpSecurity class?
HttpSecurity is used to configure web-based security for specific HTTP requests in a Spring application.
What is the purpose of the SecurityContext?
The SecurityContext holds the security information for the current execution, including authentication details.
Fill in the blank: The _____ class is used to represent a user’s granted authorities.
GrantedAuthority
What is the purpose of the AccessDeniedHandler?
The AccessDeniedHandler is invoked when a user attempts to access a resource they are not authorized to access.
What is a security expression in Spring Security?
A security expression is a language feature that allows for specifying security constraints declaratively in annotations.
Multiple choice: Which of the following is a method of the UserDetails interface? (A) getUsername() (B) getAuthorities() (C) Both A and B
C) Both A and B
What role does the SecurityFilterChain play in authorization?
The SecurityFilterChain determines how requests are authenticated and authorized by applying the appropriate filters.
What is the purpose of the PasswordEncoderFactoryBean?
PasswordEncoderFactoryBean is a factory for creating PasswordEncoder instances, allowing for customizable password encoding.
True or False: Spring Security is only compatible with Spring Boot applications.
False. Spring Security can be used with both Spring Boot and traditional Spring applications.
What is the purpose of the AuthenticationSuccessHandler?
The AuthenticationSuccessHandler is invoked after a successful authentication attempt, allowing for custom actions.
What is the role of the AuthenticationFailureHandler?
The AuthenticationFailureHandler is invoked when authentication fails, allowing for custom error handling.
Fill in the blank: Spring Security can be configured to use _____ for session management.
stateless or stateful sessions
What is the purpose of the SecurityContextPersistenceFilter?
SecurityContextPersistenceFilter is responsible for storing and retrieving the SecurityContext for each request.
What is the role of the LogoutSuccessHandler?
The LogoutSuccessHandler is invoked after a successful logout, allowing for custom actions post-logout.
What is a security configuration class in Spring Security?
A security configuration class is a Java class annotated with @Configuration that defines security settings for the application.
Multiple choice: Which of the following is a valid way to implement custom authentication in Spring Security? (A) Implementing UserDetails (B) Extending AuthenticationProvider (C) Both A and B
C) Both A and B
What is the purpose of the SecurityContextHolderStrategy?
SecurityContextHolderStrategy is an interface that defines the strategy for storing and retrieving the SecurityContext.
Fill in the blank: The _____ interface defines methods for managing user accounts in Spring Security.
UserDetailsService
