Spring-Security-101

Question 1

Which min java version is required for Spring security?

Answer 1

8

Question 2

What is the artifactid for spring security?

Answer 2

spring-boot-starter-security

Question 3

What is full form of CSRF?

Answer 3

Cross Site Request Forgery

Question 4

What is Synchronizer Token Pattern?

Answer 4

It requires that each http request must contain random token name csrf

Question 5

How can an eavesdropper cannot read the csrf token?

Answer 5

Because it is encryted and also the same origin policy restricts

Question 6

What is a Same Site attribute in cookies?

Answer 6

This attributes has two values , String and LAx
The Strict says the cookin must come from the same site, or else cookie wont be included, Lax says the request could come from the top level domain

Question 7

In case because of Samesite attribute, the cookin is not included, how will it save the CSRF attack?

Answer 7

As cookies has the sessionid included, since the cookie wont be inculded in case of not the same site. Thus the absence of session id .

Question 8

How we can let the MPfile to be uploaded with csrf security?

Answer 8

We can use the CSRF attache din Body ( this ill lead to upload and read the temporary file) or in URL param(not recommended)

Question 9

What is the role of cache headers i it?

Answer 9

By default the caching is disabled for all sorts of http request and resources, but yes can be tweaked.
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

Question 10

What is content-sniffing?

Answer 10

There are many browsers like that reads the content-type first of the resources send for a bettter UX.

Question 11

What is the issue associated with content-sniffing?

Answer 11

It will help attackers to post an XSS attack

Question 12

What is XSS?

Answer 12

Cross-Site Scripting

Question 13

How does SSecure safeguards the content-sniffing?

Answer 13

Bu adding the http header: X-Content-Type-Options: nosniff

Question 14

What is the full form of HSTS?

Answer 14

Http Strict Transport Security

Question 15

What is HSTS?

Answer 15

So it hap[pens when a user has typed without https, this will add the site to the browser by default https prptocol list

Question 16

How can it be HSTS list be preloaded into the browser?

Answer 16

By somehow preleading while updates or if the bank is called then adding the Strict-Transport-Security: max-age: … header

Question 17

How can we avoid clickjacking

Answer 17

With X-Frame-Options: Deny header

Question 18

What is CSP full form?

Answer 18

Content-Security-Piloicy

Question 19

What is CSP?

Answer 19

it is to mitigate the XSS and the like attakcs.It makes the browser to guide what to do and and from where to do, for e.g. Content-Security-Policy: script-src domain.com… says from where only to load the scripts

Question 20

Can SSecurity routes http to https site?

Answer 20

YEs

Question 21

How can SS helps in removing the load balancer fog?

Answer 21

By using server.use-forward-headers

Question 22

What is JOSE

Answer 22

Javascript Object Signing & Encryption

Question 23

What all standards come in JOSE?

Answer 23

JWT(Json Web Token)
JWS(JSOn Web Signature)
JWE(Json Web Encryption)
JWK(Json Web Key)

Question 24

How does SpSec gets integrated with Servlet Container?

Answer 24

By using a fileter: Filter

Question 25

Can we use Spring in any Servlet based app?

Answer 25

Yes, because it just need to have the “Filter”

Question 26

How does SpSec enables the Security?

Answer 26

SpSec by default enables a Filter named : SpringSecurityFilterChain, This is a bean.

Question 27

What is JAAS?

Answer 27

Java Authentication and Authorization Service Policy File

Question 28

What is core component for SpSec?

Answer 28

spring-security-core

Question 29

What is SecurityContextHolder?

Answer 29

It is the fundamental context in Spring Security, and it knows the Principle currently using the app. IT store the info in Threadlocal.

Question 30

Generally few apps like Desktop doesnot use the Threaloacal ?

Answer 30

Yes So SpringContextHolder can be used to use other mechaniism

Question 31

How can we obtain the info about current user?

Answer 31

Using Authentication object, populated by SpSec.
Object principle = SecurityContextHolder.getContext().getAuthentication().getPrinciple();

if(principle instanceof UserDetail)
username = (UserDetails) principle.getUserName();
else
username = principle.toString()

Question 32

What is getContext()

Answer 32

It gives impl of SecurityContext interface

Question 33

What is UserDetails

Answer 33

It is an adapter between user database or storage and the spring security

Question 34

Hos do the userdetail is captured inside SpSec?

Answer 34

UserDetailsService interface , it gives only one method and accepts only String username to create the userDetail object.

UserDetails loadUserByName(String username) throws UserNotFoundException

Question 35

What happens after successful authentication?

Answer 35

The UserDetails obj is used to build the Authentication object which gets stored in SecurityContextHolder

Question 36

Can we extend UserDetailService object?

Answer 36

Yes many object in Security-core cant be extended without crude purpose, and USerDetailsService Object can be extended , it also uses InMemorMap and JdbcDaoImpl

Question 37

What basically is UserDetailService>?

Answer 37

It is basically a Dao Sort of Object

Question 38

What is GrantedAuthority?

Answer 38

to reflect the applicaion-wide permission given to a principle

Question 39

What are the most basic operations go inside SpSec?

Answer 39

When a user logs in with UN and PW , a UsernamePasswordAuthenticationToken (an instance of Authentication interface), this token is passed to the AuthenticationManager to for validation, The AuthenticationManager rerurn Authetication Object, and then SecurutyContext is called by using SecurityContext.getContext,getAuthentication()…