Spring Security Flashcards

1
Q

Illustrate the architecture of a servlet container

A
  • Web server (hardware)
    • Servlet container (Tomcat)
      • Threads
      • Filter chain
        • Filters
        • Servlet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a servlet container and what is it used for?

A

A servlet container is software used to manage threads, filters, and the servlet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a servlet and what is it used for?

A

A servlet is a component of a servlet container used to handle HTTP requests and responses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is DelegatingFilterProxy and what is it used for?

A

DelegatingFilterProxy is a Spring Security class that implements a servlet filter and it is used to bridge the servlet container to Spring’s ApplicationContext so that beans can be used. DelegatingFilterProxy delegates to a single bean called FilterChainProxy which further delegates to SecurityFilterChain beans composed of many filter beans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the entry point to Spring Security?

A

FilterChainProxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the main responsibilities of FilterChainProxy?

A
  1. To determine which SecurityFilterChain bean should be used for an HTTP Request
  2. Apply Spring Security’s HttpFirewall
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When is a user considered authenticated?

A

Whenever an Authentication object is added to the SecurityContext

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 main methods of Authentication and what do they return?

A
  • getPrincipal => Object (e.g. UserDetails)
  • getCredentials => Object (e.g password)
  • getAuthorities => Collection<? extends GrantedAuthority>
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 2 roles of Authentication?

A
  1. To serve as the input to the AuthenticationManager
  2. To represent the currently authenticated user inside the SecurityContext
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the purpose of GrantedAuthority?

A

To provide a representation of an authority that has been granted to a user. GrantedAuthority only has 1 method: String getAuthority()

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the purpose of AuthenticationManager?

A

To process an Authentication request. It does so by delegating to ProviderManager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the purpose of ProviderManager?

A

To implement AuthenticationManager. ProviderManager iterates through a list of AuthenticationProviders until it finds one that can process the Authentication object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give some examples of AuthenticationProvider

A
  • DaoAuthenticationProvider
  • JwtAuthenticationProvider
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of SecurityContextHolder?

A

To associate the SecurityContext with the current thread of executuion (can be accessible anywhere within the same thread)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the role of AuthorizationManager?

A

To read the collection of GrantedAuthoritys of the currently authenticated user and determine if he/she has the proper authority to access a resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is HttpSecurity and what is it used for?

A

HttpSecurity is a dependency bean of SecurityFilterChain used to configure the security of HTTP requests

17
Q

What is the difference between securityMatcher() and requestMatchers()?

A

securityMatcher matches an HTTP request to an HttpSecurity. requestMatchers matches a request to a rule defined inside HttpSecurity

18
Q

What annotation must be used on the @Configuration class to enable method level security?

A

@EnableMethodSecurity