Spring Security Flashcards
What are the core features of Spring Security?
Extensive authentication and authorization support.
Efficient detection and prevention of attacks like cross-site request forgery, session fixation, and clickjacking.
Seamless Integration with Servlet API.
Integration with Spring Web MVC (Model-View-Controller) features.
What is Spring Security?
custom-built authentication and access-controlled framework. It is the main standard for securing Spring-based applications
- What is Spring Security OAuth 2.0?
OAuth 2.0 is an authorization protocol that enables client applications to access protected resources through an authorized server. A client application or a third party can gain limited access to an HTTP server on behalf of the resource owner or on its own behalf via OAuth 2.
There are five key actors in OAuth 2.0:
User/resource owner: The person who owns the resource.
User-Agent: The browser used by the user.
Client: The application that requests an access token and is granted access after authorization. It means that the client passes credentials and its identification to the authorization server. It then uses the access token to access the resource server.
Authorization server: It issues access tokens to the client after successful authentication via the resource owner and obtaining authorization. In other words, the authorization server acts as a gatekeeper, ensuring that only properly authenticated and authorized clients are granted access to the protected resources.
Resource server: It provides access to requested resources after validating access tokens. If the access token is valid, the resource server will allow the client to access the resource. If the access token is invalid or has expired, the resource server will deny the client’s request and return an error message.
- What are authentication and authorization in Spring Security?
Authentication: Authentication is the process of verifying the identity of a person or entity trying to access a particular resource. This is usually done by prompting the user to enter a username and password, and then checking to see if they match the credentials stored in a database. Once the user has been authenticated, they may be granted access to the resource in question, provided they have the necessary authorization. There are many different methods of authentication, including biometric authentication, token-based authentication, and multi-factor authentication.
Authorization:
Authorization is the process of granting a user or entity access to a particular resource or data. This is usually done by verifying that the user has the necessary permissions or privileges to access the resource in question. In Spring Security, authorization is used to control access to web requests, methods, and individual domains. This ensures that users are only able to access the parts of a resource that they are supposed to and prevents unauthorized access.
- What is hashing in Spring Security?
A hash function is a mathematical algorithm that takes in a string (such as a password) and produces a fixed-size output, known as a hash or hash value. One common example of a hash function is SHA-256, which is often used in cryptography to secure data. In the context of Spring Security, a hash function takes a password string as input and returns its hash, which is then stored in the database.
Hashing adds a robust security layer to passwords and helps ward off malicious attacks by hackers. Any attempt to query the plain text from the hashed value by an attacker is considered computationally infeasible.
- What is digest authentication?
It generates more complex cryptographic results by using the hashing technique, which is cryptographically secure.
What is JWT?
JSON Web Token (JWT) is an open standard RFC 7519 that defines a compact and independent method for securely sending trusted information and data among parties as a JSON object. This information is verifiable and trustworthy because it has a digital signature. We can sign JWTs using a secret or a public/private key pair using RSA or ECDSA, which are asymmetric algorithms.
JWTs are best used in the following scenarios:
Authorization: This is a popular choice for using a JWT. Once a user logs in, each successive request will include the JWT, permitting the user to access routes, services, and resources that are allowed with that specific token.
Information exchange: Because JWTs can be digitally signed, they are a great way of securely transmitting information between parties.
- What are the prerequisites for Spring Security?
It requires Java 8 or a higher runtime environment.
No special configuration files are required if using EJB or Servlet Container. Also, Spring Security doesn’t require us to configure a Java Authentication and Authorization Service (JAAS) policy file.
It allows you to copy your target artifact, such as JAR, WAR, or EAR, from one system to another and works immediately without delay.
- What are the advantages of the Spring JDBC template?
Spring simplifies database access with the Spring JDBC Template.
The Spring JDBC Template has the following advantages over the standard JDBC:
It provides org.springramework.jdbc.core.jdbcTemplate class in JDBC package that allows automatic resource cleanup like releasing the database connections.
It converts the standard JDBC SQL exceptions into runtime exceptions. This action allows developers to act swiftly in response to errors. The template also converts vendor-specific error messages into an understandable format.
It allows us to translate the SQL result directly into an object or a list of objects by using the RowMapper or ResultSetExtractor interface.
It provides methods to write the SQL queries directly, saving a lot of work.
- What are some security annotations that can involve Spring Expression Language (SpEL)?
Spring Security uses SpEL for expression support. Expressions are evaluated with a root object as part of the evaluation context. The following annotations that allow the expression attributes to use authorization checks:
@PreAuthorize: This annotation is used to specify a security constraint that must be satisfied before a method is invoked. The constraint is specified as an expression that is evaluated against the security context.
@PostAuthorize: This annotation is similar to @PreAuthorize, but the expression is evaluated after the method has been invoked.
@PreFilter: We use this annotation to specify a security constraint that must be satisfied before a list of elements is processed. The constraint is specified as an expression that is evaluated against each element in the list.
@PostFilter: This annotation is the opposite of @PreFilter because the expression is evaluated after the list has been processed.
@Secured: This annotation is used to specify a list of security roles that are allowed to access a method or class. The roles are specified as strings, and the user must have at least one of the specified roles to be granted access.
Spring Security?
The Spring Security framework provides several filters that can be used to secure web applications. Some important filter classes include:
UsernamePasswordAuthenticationFilter: This filter is used to authenticate a user using a username and password.
BasicAuthenticationFilter: This filter is used to authenticate a user using basic authentication.
SessionManagementFilter: We use this to manage user sessions and prevent session hijacking.
SecurityContextPersistenceFilter: This filter is used to store the security context of a user across multiple requests.
ExceptionTranslationFilter: This filter is used to handle exceptions thrown during the security process and convert them into HTTP responses.
FilterSecurityInterceptor: This filter is used to enforce security constraints on HTTP requests based on the configured security rules.
Can you explain what auto-wiring is in Spring and how it functions?
Autowiring feature of spring framework enables you to inject the object dependency implicitly. It internally uses setter or constructor injection.
Describe the concept of the security context in a Spring application.
SecurityContext - is obtained from the SecurityContextHolder and contains the Authentication of the currently authenticated user.
How can we integrate Spring Boot and Basic Authentication in a project?
You do that by configuring Spring Security in the application. If Spring Security is on the classpath, Spring Boot automatically secures all HTTP endpoints with “basic” authentication. However, you can further customize the security settings. The first thing you need to do is add Spring Security to the classpath.
Outline the process of configuring Spring Security with in-memory authentication in a project.
Spring Security’s InMemoryUserDetailsManager implements UserDetailsService to provide support for username/password based authentication that is stored in memory. InMemoryUserDetailsManager provides management of UserDetails by implementing the UserDetailsManager interface. UserDetails-based authentication is used by Spring Security when it is configured to accept a username and password for authentication.
