42-Securing-REST-Application

Question 1

List out security concepts

Answer 1

Principal
Authentication
Authorization
Authority
Secure resource

Question 2

What is authority?

Answer 2

Permission or credential enabling access. The most familiar example of authority is a role (string)

Question 3

List out 5 authentication mechanisms:

Answer 3

Basic
Digest
Form
X.509
OAuth

Question 4

What is LDAP?

Answer 4

DAP: directory access protocol
LDAP: DAP using TCP/IP

Question 5

What does authorization do?

Answer 5

check if user has the required authority

Question 6

What are the advantages of Spring Security?

Answer 6

1. Portable: can use for any Spring project
2. Separation of concerns
3. Flexible & extensible: support many:
   a. authentication mechanisms
   b. storages
   c. customizable

Question 7

What does AuthenticationManager do?

Answer 7

authenticate(Authentication) return full Authentication object if successful.
Throw AuthenticationException or sub-class if fails

Question 8

What inside Authentication?

Answer 8

1. List of GrantedAuthority
2. Principal: Object
3. Credentials: Object

Question 9

What does AccessDecisionManager do?

Answer 9

Holding list of Voter to decide if the user allows accessing a secured resource

Question 10

List out default voters in AccessDecisionManager

Answer 10

1. RoleVoter: having the right role or not

2. AuthenticatedVoter: logged in as a valid user or not

Question 11

What is the result of AccessDecisionManager.decide()?

Answer 11

1. AccessDeniedException: same as 403
2. InsufficientAuthenticationException: same as 401
3. successful otherwise

Question 12

In the big picture of Spring Security, how do components work together to protects secured resources?

Answer 12

1. AuthenticationManager populates SecurityContext with Authentication object
2. Security Interceptor obtains SecurityContext and passes it to AccessDecisionManager to check
3. If pass, allow access to the secured resource

Question 13

What are the steps to setup Spring security in a web environment?

Answer 13

1. Setup Filter Chain - Spring Boot does this for you
2. Configure authorization rules
3. Setup web authentication

Question 14

How springSecurityFilterChain works with DelegatingFilterProxy?

Answer 14

1. DelegatingFilterProxy stays in front of DispatcherServlet
2. DelegatingFilterProxy delegates request to springSecurityFilterChain to check authentication/authorization
3. springSecurityFilterChain having a list of filters to check the permission
4. If successful, DelegatingFilterProxy will forward the request to DispatcherServlet
   Note: all implement javax.servlet.Filter

Question 15

List out default filters in springSecurityFilterChain

Answer 15

1. SecurityContextPersistenceFilter
2. LogoutFilter
3. UsernamePasswordAuthenticationFilter
4. ExceptionTranslationFilter
5. FilterSecurityInterceptor: does the hard work of performing permission checking

Question 16

What does SecurityContextPersistenceFilter do?

Answer 16

1. Finds security context in session and sets it for the current thread
2. Stores security context back into session

Question 17

What does UsernamePasswordAuthenticationFilter do?

Answer 17

Puts Authentication into the SecurityContext on login request.

Question 18

What does ExceptionTranslationFilter do?

Answer 18

Converts SpringSecurity exceptions into HTTP response or redirect

Question 19

What is the default username?

Answer 19

user

Question 20

How to configure custom security for your application?

Answer 20

@Configuration
@EnableWebSecurity // not need if Spring Boot
class ClassName extends WebSecurityConfigurerAdapter

Question 21

How to enable security in a web app?

Answer 21

Using @EnableWebSecurity if not using Spring Boot

Question 22

Ant style: /admin/* vs. /admin/**

Answer 22

/admin/** any path under /admin

/admin/* only matches /admin/xxx

Question 23

antMatchers vs. mvcMatchers

Answer 23

Similar but there are some issue with antMatchers e.g. antMatchers(“/admin”) matches “/admin/”: potential security risk
mvcMatchers: recommended

Question 24

Overloads of mvcMatchers

Answer 24

1. mvcMatchers(path1, path2)

2. mvcMatchers(httpMethod, path)

Question 25

hasRole vs. hasAnyRole

Answer 25

e. g. hasRole(roleName)

e. g. hasAnyRole(roleName1, roleName2)

Question 26

What is the prefix value of authority?

Answer 26

ROLE_

Question 27

Write custom role checking?

Answer 27

Using SpEL:

mvcMatchers(“…”).access(“hasRole(‘ADMIN’) && hasRole(‘USER’)”)

Question 28

Service to get user?

Answer 28

UserDetailsService.loadUserByUsername(String username): UserDetails

Question 29

Web security: how to authorize a URL?

Answer 29

1. Override WebSecurityConfigurerAdapter.configure(HttpSecurity)
2. Using mvcMatcchers().hasRole()

Question 30

How to ignore all permission checking on static resources?

Answer 30

1. Override WebSecurityConfigurerAdapter.configure(WebSecurity)
2. web.ignoring().mvcMatchers(…)

Question 31

How to configure AuthenticationManager?

Answer 31

Override WebSecurityConfigurerAdapter.configure(AuthenticationManagerBuilder)

Question 32

What is the authentication flow for basic authentication?

Answer 32

1. Request goes to BasicAuthenticationFilter (extends UsernamePasswordAuthenticationToken)
2. Calling auth = AuthenticationManager.authenticate(Authentication)
   a. Fail if throwing AuthenticationException
   b. Fully Authentication object otherwise
3. AuthenticationManager is a ProviderManager that contains a list of AuthenticationProvider
   a. Loop through all AuthenticationProvider
   b. Call AuthenticationProvider.supports(Class> authenticationClass) if true, call AuthenticationProvider.authenticate(Authentication) forwards result to ProviderManager. If AuthenticationProvider is a DaoAuthenticationProvider, it calls UserDetailsService to lookup for user

Question 33

Where is Authentication stored?

Answer 33

SecurityContextHolder

Question 34

How to authenticate with the basic authentication mechanism?

Answer 34

Calculate token = base64 value of username:password
Put in the header:
authentication: Basic $token

Question 35

Implementations of AuthenticationProvider

Answer 35

1. DaoAuthenticationProvider
2. LdapAuthenticationProvider
3. OpenIDAuthenticationProvider
4. RememberMeAuthenticationProvider

Question 36

Implementations of UserDetailsService

Answer 36

InMemoryUserDetailsManager
JdbcUserDetailsManager
LdapUserDetailsManager

Question 37

How to configure user and role using InMemoryUserDetailsManager?

Answer 37

1. Override WebSecurityConfigurerAdapter.configure(AuthenticationManagerBuilder auth)
2. Configure:
   auth.inMemoryAuthentication()
   .withUser(username).password(passwordEncoder.encode(pw)).roles(roleName)
   // .and().with… next user

Question 38

How to configure JdbcUserDetailsManager?

Answer 38

1. Override WebSecurityConfigurerAdapter.configure(AuthenticationManagerBuilder auth)
2. Configure
   auth. jdbcAuthentication().dataSource(ds)

Question 39

How to configure custom UserDetailsService?

Answer 39

Just implement UserDetailsService interface and mark it with @Service. DaoAuthenticationProvider will find and use it

Question 40

How to add a custom AuthenticationProvider?

Answer 40

1. Override WebSecurityConfigurerAdapter.configure(AuthenticationManagerBuilder auth) and annotate with @Configuration
2. Add
   auth. authenticationProvider(customAuthenticationProvider)

Question 41

What is password encoded format?

Answer 41

{encoderId}encodedPassword
example:
{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG

Question 42

What is the default password encoder?

Answer 42

BcryptPasswordEncoder

Question 43

How to encode a password?

Answer 43

PasswordEncoderFactories.createDelegatingPasswordEncoder().encode(password);

Question 44

What class manages all password encoders?

Answer 44

DelegatingPasswordEncoder

Question 45

Does Spring provide a default login page?

Answer 45

yes

Question 46

How to enable basic authentication?

Answer 46

1. Override WebSecurityConfigurerAdapter.configure(HttpSecurity)
2. Configure
   http.authorizeRequests()
   …
   .and()
   .httpBasic();

Question 47

Which layer is recommended for method security?

Answer 47

service layer beans

Question 48

What exception will be thrown if method access is not allowed?

Answer 48

AccessDeniedException

Question 49

How to enable method security JSR-250?

Answer 49

@EnableGlobalMethodSecurity(jsr250Enabled=true)

Question 50

How to set role-required for a method using method security JSR-250?

Answer 50

@RoleAllowed(“ROLE_ADMIN”)

public void method() {}

Question 51

How to set role-required “ADMIN” for a method using method security JSR-250?

Answer 51

Must use full-name ROLE_ADMIN instead of ADMIN
@RoleAllowed(“ROLE_ADMIN”)
public void method() {}

Question 52

How to enable method security?

Answer 52

@EnableGlobalMethodSecurity(prePostEnabled=true)

Question 53

How to check role and argument with method security?

Answer 53

@PreAuthorize(“hasRole(‘ADMIN’) && #order.id == 1”)

public Item findItem(Order order) {}

Question 54

How to check role and return value with method security?

Answer 54

@PostAuthorize(“hasRole(‘ADMIN’) && returnObject.id == 1”)

public Item findItem(Order order) {}

Question 55

How to enable @Secured?

Answer 55

@Configuration

@EnableGlobalMethodSecurity(securedEnabled = true)

Question 56

What can we do with @Secured?

Answer 56

Check role only e.g.
@Secured({"ROLE_A", "ROLE_B"})
void method()

Question 57

How to test the controller with spring security?

Answer 57

1. Add @WebMvcTest(Controller.class) to test class
   a. Override config if needed: @ContextConfiguration(classes={Config1.class, Config2.class})
2. Mock role
   @Test @WithMockUser(roles={“ADMIN”})
   void testClass() {}
3. Using mockMvc.perform to test

Question 58

In the integration test, how to perform a test with username and password?

Answer 58

1. Add @SpringBootTest(webEnvironment=RANDOM_PORT)

2. Using TestRestTemplate.withBasicAuth(username, password)

Question 59

By default, what is the first filter in the spring filter chain?

Answer 59

springSecurityFilterChain

Note: with postfix Chain

Question 60

What does springSecurityFilterChain do through Spring-managed filters?

Answer 60

1. Drive authentication
2. Enforce authorization
3. Manage logout
4. Maintain SecurityContext in HttpSession
5. and more

Question 61

What is the relationship between ExceptionTranslationFilter and FilterSecurityInterceptor?

Answer 61

1. ExceptionTranslationFilter does nothing on request
2. FilterSecurityInteceptor does the hard work of performing the security check, but only raises an exception if the request is rejected
3. ExceptionTranslationFilter handles exception if exists and responds to the client.

Question 62

How to replace an existing filter?

Answer 62

1. Must extend the filter being replaced e.g.
   class Custom extends UsernamePasswordAuthenticationFilter {}
2. Create bean @Bean Filter loginFilter() {}
3. Override WebSecurityConfigurerAdapter.configure(HttpSecurity)
4. http.addFilter(loginFilter());
   Note: the order will be taken care by Spring

Question 63

How to add a custom filter?

Answer 63

1. class Custom implements Filter {}
2. Create bean for the filter
3. Override WebSecurityConfigurerAdapter.configure(HttpSecurity)
4. http.addFilterAfter(custom, UsernamePasswordAuthenticationFilter.class)

Question 64

@EnableGlobalMethodSecurity is annotation used in Spring Security to secure which layer?

Answer 64

Service layer

Question 65

In Spring Security, what is the name of the class holding the information regarding high-level user permissions?

Answer 65

Represents an authority granted to an Authentication object.

A GrantedAuthority must either represent itself as a String or be specifically supported by an AccessDecisionManager.

Question 66

In Spring Security, what is the name of the Servlet Filter intercepting all the requests sent to an application?

Answer 66

DelegatingFilterProxy

Question 67

In sprint security, how to filter data return by a function?

Answer 67

Using @PostFilter: data returned by a method can be filtered by a security restriction
There is also a @PreFilter but it is less commonly used.

Question 68

What do SpEL expressions starting with @ reference?

Answer 68

Spring bean

Question 69

Annotation equivalent to @RoleAllowed

Answer 69

@Secured