Spring Boot Spring Security Fundamentals Questions and Answers

Question 1

In a modern Spring Boot application, what is the primary purpose of defining a `SecurityFilterChain` bean?

Accepted Answer

To define a sequence of security filters that are applied to HTTP requests to handle concerns like authentication, authorization, and CSRF protection.

Answer

The `SecurityFilterChain` is the core component for configuring web-based security. It defines an ordered chain of filters that Spring Security applies to incoming HTTP requests. Each filter has a specific responsibility, such as authenticating a user, checking for a valid CSRF token, or authorizing access to a resource.

Question 2

A developer needs to secure a service method so that it can only be executed by users with the 'ADMIN' role. Which annotation provides the most flexible, expression-based approach to achieve this?

Accepted Answer

@PreAuthorize("hasRole('ADMIN')")

Answer

The `@PreAuthorize` annotation is the most flexible option as it allows for the use of Spring Expression Language (SpEL). This enables complex authorization rules beyond simple role checks, such as inspecting method arguments or properties of the current user's `Authentication` principal. While `@Secured` and `@RolesAllowed` can check for roles, they do not support expressions.

Question 3

In the context of Spring Security's authentication architecture, what is the primary responsibility of the `AuthenticationManager`?

Accepted Answer

To coordinate the authentication process by delegating the credential verification to one or more `AuthenticationProvider` instances.

Answer

The `AuthenticationManager` acts as the central coordinator for authentication. It receives an `Authentication` object (containing user-submitted credentials) and passes it to a series of configured `AuthenticationProvider`s. Each provider determines if it can handle that type of authentication. If successful, the `AuthenticationManager` returns a fully populated `Authentication` object.

Question 4

A Spring Boot application is configured to use form-based login. To protect against Cross-Site Request Forgery (CSRF) attacks, Spring Security, by default, employs the Synchronizer Token Pattern. How is the CSRF token typically validated for a state-changing request (e.g., POST)?

Accepted Answer

The token, stored in the user's session, must be included by the client in the request as a hidden form field or a specific HTTP header.

Answer

By default, Spring Security generates a CSRF token and stores it in the `HttpSession`. For the request to be valid, the client application must include this same token in the request, typically as a hidden input field named `_csrf` or in an HTTP header (like `X-CSRF-TOKEN`). The `CsrfFilter` then compares the token from the request with the one stored in the session to ensure the request is legitimate and not forged.

Question 5

Which of the following is the recommended `PasswordEncoder` implementation in modern Spring Security for securely hashing and storing user passwords?

Accepted Answer

`BCryptPasswordEncoder`

Answer

`BCryptPasswordEncoder` is the recommended and widely used implementation. It uses the bcrypt strong hashing algorithm, which is deliberately slow and includes a randomly generated salt with each hash. This makes it highly resistant to brute-force attacks and rainbow table attacks. `NoOpPasswordEncoder` is for plain text and is insecure, while others are considered legacy.

Spring Boot Practice Test

Spring Boot Practice Test

Spring Boot Spring Security Fundamentals Questions and Answers