Spring Security Interview Questions for Experienced

25. What is SessionManagement in Spring Security?

At the time of login, user will enter username and password. If that is valid a HTTP session is created servers. That session creation, managing, destroying everything is called Session Management.

• It secures and manages multiple user’s sessions against the requests.
• To control HTTP sessions, SessionManagementFilter and SessionAuthenticationStrategy are used.
• Authentication strategy takes care of session timeout, session ids etc.
• It is actually going to verify is that object is null, and it exists or not.

26. What is Diligatingfilterproxy in Spring Security?

DiligatingFilterProxy is a Servlet filter that intercepts all the incoming requests sent to an application.

• It allows bridging between the Servlet Container’s lifecycle and Spring’s ApplicationContext.
• The Servlet Container allows to registering Filters using its own standards.
• It can be even registered by using Servlet Container mechanism by using web.xml and we can then define a filter tag.

   <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
    </filter-mapping>

27. How to implement Two-Factor Authentication (2FA) in Spring Security?

To implement two-factor authentication (2FA) follow the below steps:

• Step 1: Add spring-boot-starter-security dependency in the pom.xml file.

• Step 2: To configure Spring Security, extend WebSecurityConfigureAdapter (WSCA).

• Step 3: Override the configure method.

• Step 4: Now implement two-factor authentication by extending AbstractAuthenticationProcessingFilter. (You may create a custom filter)

• Step 5: Register the custom filter in Security Configuration.

• Step 6: Based on the application requirements, enable two-factor authentication for specific users or groups.

Know more about Two-Factor Authentication in Spring Security

28. Explain Hashing in Spring Security.

Generally, end-users register the details at the same time provides password as well. That password we store in the database as it is that is called Plain text.

• Storing Plain text in the database is not recommended standard, so it should be converted to unreadable format that is called encrypting the password.
• Storing encrypted password in the database called Password Hashing.
• To convert it into unreadable format, there are so many hashing algorithms like Message Digester Algorithm (MD4, MD5), Security Hashing Algorithm – SHA (SHA256, SHA128) ETC.

29. What is Spring Expression Language (SpEL) and Tell Some Spring Security Annotations that are involved with this?

SpEL (Spring Expression Language) is a powerful expression language and also this supports querying and manipulating an object graph at runtime. It can be used within Spring annotations, and it provides dynamic values based on runtime data. There are some Annotations that are involved with Spring Security

• @PreAuthorize
• @Secured
• @PostAuthorize
• @PostFilter
• @PreFilter

Know more about Spring Expression Language (SpEL)

Spring Security is a highly flexible and customizable security framework designed for Java applications, particularly those developed using the Spring Framework. It offers extensive security services for enterprise-level Java EE-based software applications. At its Core, Spring Security is concerned with two vital aspects of software application security: authentication, which involves verifying users’ identities, and authorization, which involves determining the actions that users are allowed to perform.

In this article, We will look into 30+ Spring Interview Questions and Answers tailored for both freshers and experienced professionals with 1, 5, and 10 years of experience. Here we cover everything about Spring Security Interview Questions including the basics of authentication and authorization, configuration strategies, cross-site scripting prevention, securing REST APIs, and best practices for using OAuth2 and JWT with Spring Security.