Spring Security Interview Questions and Answers for 2025

Spring Security provides a number of password encoders that you can use to handle password hashing and encryption. 

To use a password encoder, you will need to configure it in your Spring

Security configuration. Here is an example of how to do this: 

@Configuration@EnableWebSecuritypublic class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .passwordEncoder(passwordEncoder()) .withUser("user") .password(passwordEncoder().encode("password")) .roles("USER"); }} 

This example configures the BCryptPasswordEncoder, which is a popular choice for password encoding because it is secure and resistant to attacks such as dictionary attacks and rainbow table attacks. 

When a user attempts to authenticate, the password they provide is passed through the password encoder, and the encoded version is compared to the stored encoded password. If the encoded passwords match, the user is authenticated. 

Spring Security also provides support for password hashing algorithms such as PBKDF2, SCrypt, and Argon2. You can use these algorithms by configuring the corresponding password encoder in your Spring Security configuration. 

Spring Security is a framework that provides authentication, authorization, and protection against common web vulnerabilities for Java-based web applications. It is designed to easily integrate with other Spring-based applications and is highly customizable. 

Spring Security provides a number of features that can be used to secure a web application. Some of these features include: 

• Authentication: Spring Security allows you to authenticate users using a variety of methods, such as form-based login, basic authentication, or integration with external authentication systems like LDAP or OAuth. 
• Authorization: Once a user is authenticated, Spring Security can be used to authorize their access to certain parts of the application based on their role or permissions. 
• CSRF Protection: Cross-Site Request Forgery (CSRF) attacks attempt to trick users into making unintended requests to a web application. Spring Security provides protection against CSRF attacks by generating a unique token that is checked on the server for each modifying request. 
• Session Management: Spring Security can be used to manage user sessions, including configuring session timeouts, controlling concurrent sessions, and invalidating sessions when necessary. 
• Security Headers: Spring Security can be configured to set security-related HTTP headers, such as Content-Security-Policy, X-Frame-Options, and X-XSS-Protection, to help protect against common web vulnerabilities. 
• Encryption: Spring Security can be used to encrypt sensitive data, such as passwords, using strong encryption algorithms. 

Overall, Spring Security helps secure a web application by providing various features that can be customized to fit the security needs of the application. 

Spring Security is highly customizable, and you can use a number of approaches to customize it for your application's specific needs. Some ways you can customize Spring Security include: 

• Authentication Providers: Spring Security allows you to specify one or more authentication providers to authenticate users. You can use the built-in providers, such as form-based login or basic authentication, or you can write your own custom authentication provider to integrate with an external authentication system. 
• Access Control: You can use Spring Security's access control features to specify which users or roles are allowed to access certain parts of your application. This can be done using @PreAuthorize annotations or by configuring access rules in XML or Java configuration. 
• HttpSecurity Configuration: You can use the HttpSecurity object to configure various aspects of Spring Security's HTTP-based security, such as specifying which URLs should be secured, which authentication methods should be used, and which security headers should be set. 
• Custom Filters: Spring Security allows you to specify custom filters that can be used to perform additional security checks or processing. For example, you could write a custom filter to integrate with an external authentication system or perform additional authorization checks. 
• DelegatingFilterProxy: The DelegatingFilterProxy servlet filter is used to delegate requests to the Spring Security filter chain. You can configure the DelegatingFilterProxy to customize the order in which filters are applied and to specify which filters should be used for which URLs. 

Overall, there are many ways you can customize Spring Security to fit the specific needs of your application. It is a highly flexible and powerful security framework that can be adapted to a wide variety of security requirements. 

Spring Security is a framework that provides authentication and authorization support for Java-based applications. It can be easily integrated with other security frameworks, such as SAML (Security Assertion Markup Language) and CAS (Central Authentication Service), to provide a single sign-on (SSO) solution for your application. 

To integrate Spring Security with SAML, you can use the Spring Security SAML Extension. This extension provides an implementation of the SAML 2.0 protocol for Single Sign-On (SSO) and enables your application to participate in an SSO flow with a SAML Identity Provider (IDP). 

To integrate Spring Security with CAS, you can use the Spring Security CAS Client. This library provides support for integrating with a CAS Server for authentication and single sign-on purposes. 

Both the Spring Security SAML Extension and the Spring Security CAS Client provide easy-to-use support for integrating these security frameworks with your Spring-based application. 

There are several ways to test Spring Security configurations in your application: 

1. Unit Tests: You can use unit tests to test individual components of your security configuration, such as authentication and authorization rules. 
2. Integration Tests: You can use integration tests to test the integration of your security configuration with the rest of your application. These tests can verify that the security configuration is applied correctly and that the expected behavior is achieved. 
3. Manual Tests: You can manually test your security configuration by manually interacting with the application and verifying that the correct authentication and authorization behavior is achieved. 
4. Security Testing Tools: There are several security testing tools that can help you test your application's security configuration. These tools can be used to perform vulnerability scans, penetration tests, and other types of security tests. 

It is generally a good idea to use a combination of these approaches to test your security configuration thoroughly. This will help you ensure that your security configuration is effective and that your application is secure. 

In Spring Security, a security realm is a collection of authentication and authorization rules that define how users are authenticated and authorized to access different resources in an application. 

When a user attempts to access a protected resource in an application, Spring Security will consult the configured security realm to determine whether the user is authenticated and authorized to access the resource. 

The security realm is configured using an AuthenticationManager and an AuthorizationManager. The AuthenticationManager is responsible for authenticating users, and the AuthorizationManager is responsible for determining whether a user is authorized to access a particular resource. 

Spring Security supports multiple security realms, and you can configure your application to use multiple realms in a single security configuration. This can be useful if you have different authentication and authorization rules for different resources or users in your application. 

Don't be surprised if this question pops up as one of the top interview questions on Spring Security in your next interview.

In Spring Security, a security context is an object that stores the security-related state of an application. It is used to store information about the authenticated user, such as the user's identity and any granted authorities (permissions). 

The security context is represented by the SecurityContext interface in Spring Security. This interface defines methods for storing and retrieving the authentication object, which represents the authenticated user and their granted authorities. 

The security context is typically stored in a thread-local variable, which allows it to be accessed from any point in the application without the need to pass the context around as a method argument. This makes it easy to access the security context from anywhere in the application and make decisions based on the authenticated user's identity and authorities. 

In Spring Security, the security context is managed by the SecurityContextHolder, which provides static methods for accessing and modifying the security context. This makes it easy to access and modify the security context from anywhere in the application. 

Spring fires authentication events for each authentication. Depending on whether the authentication was successful or not, the spring fires AuthenticationSuccessEvent or AuthenticationFailureEvent, respectively. AuthenticationEventPublisher is used to listen to these events. The default publisher provided by spring is DefaultAuthenticationEventPublisher. 

 DefaultAuthenticationEventPublisher can be created as below : 

@Bean 
public AuthenticationEventPublisher authEventPublisher(ApplicationEventPublisher appEventPublisher) { 
return new DefaultAuthenticationEventPublisher(app event publisher); 
} 

After the publisher bean creation now, we can create a class with event support to listen to the authentication events : 

@Component 
public class AuthenticationEventsHandler { 
@EventListener 
public void handleSuccess(AuthenticationSuccessEvent authSuccessEvent) { 
//handle event 
} 
@EventListener 
public void handleFailure(AuthenticationFailureEvent authFailureEvent) { 
//handle event 
} 
} 

The process of combining the user password with random data (salt) before password hashing is called salting. Spring security, by default, provides a salting feature. Using salt adds an additional layer of security and thereby makes it even more difficult to crack the password.

UserDetailsService is used to fetch user details like user name, password etc., for authentication. Spring provides two kinds of UserDetailsService. One is InMemoryDetailsManager, and the other is JdbcDaoImpl. 

InMemoryDetailsManager : 

It implements UserDetailsService to provide authentication of the user name and password, which is stored in memory. The bean declaration is as follows : 

@Bean 
public UserDetailsService inMemoryUserDetailsManager() { 
UserDetails userDetails = User.builder(). 
username(“user-name”). 
password(“user-password”).roles(“USER”).build(); 
UserDetails adminDetails = User.builder(). 
username(“admin”). 
password(“admin-password”). 
roles(“USER”, “ADMIN”).build(); 
return new InMemoryUserDetailsManager(userDetails,adminDetails); 
} 

JdbcDaoImpl : 

It implements UserDetailsService to provide authentication of the user name and password, which is present in the database and is retrieved by JDBC. The bean declaration is as follows : 

@Bean 
public UserDetailsService jdbcUserDetailsManager(DataSource dataSource) { 
UserDetails userDetails = User.builder(). 
username(“user-name”). 
password(“user-password”).roles(“USER”).build(); 
UserDetails adminDetails = User.builder(). 
username(“admin”). 
password(“admin-password”). 
roles(“USER”, “ADMIN”).build(); 
JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(datasource); 
jdbcUserDetailsManager.createUser(userDetails); 
jdbcUserDetailsManager.createUser(adminDetails); 
return jdbcUserDetailsManager; 
} 

Password encoding is something that keeps changing based on new needs. This enforces frequent migrations. In order to avoid this, spring provides DelegatingPasswordEncoder, using which both future, current and previous encodings can be supported. As an example, let’s assume bcrypt is the new default encoder, and scrypt is an alternate encoder. In this scenario DelegatingPasswordEncoder can be configured as below : 

@Bean 
public PasswordEncoder delegatingPasswordEncoder() { 
String defaultEncoder = “bcrypt”; 
Map<String, PasswordEncoder> encoders = new HashMap<>(); 
encoders.put(defaultEncoder, new BCryptPasswordEncoder()); 
encoders.put("scrypt", new SCryptPasswordEncoder()); 
return new DelegatingPasswordEncoder(defaultEncoder, encoders); 
}  

The SecurityContext is a central interface in Spring Security that is used to store the security-related information for a single application execution thread. This includes the authentication object, which represents the authenticated principal, and the authorization information that determines what the principal is allowed to do. 

The SecurityContext is stored in a thread-local variable and is available to security-related classes throughout the application. This allows the security information to be accessed and modified by different components of the application without the need to pass the security information around as method arguments. 

The SecurityContext can be accessed using the SecurityContextHolder, which provides static methods for setting and retrieving the SecurityContext. For example, you might use SecurityContextHolder.getContext().setAuthentication(authentication) to set the authentication object for the current thread. 

You can also use the @AuthenticationPrincipal annotation in your controllers to access the authentication object directly. For example: 

@GetMapping("/me")public User getCurrentUser(@AuthenticationPrincipal User user) { return user;} 

Spring Security provides a number of features to help with password hashing and encryption. 

To hash a password, you can use a PasswordEncoder. A PasswordEncoder is a function that takes a raw password and returns a hashed version of the password. The PasswordEncoder interface defines a number of methods for creating and verifying hashed passwords, including encode(CharSequence rawPassword) and matches(CharSequence rawPassword, String encodedPassword). 

Spring Security provides several built-in PasswordEncoder implementations, including BCryptPasswordEncoder, Pbkdf2PasswordEncoder, and SCryptPasswordEncoder. You can also create your own PasswordEncoder implementation if you need a custom hashing algorithm. 

To use a PasswordEncoder, you can configure it in your application's security configuration and then use it to hash the passwords of your users. For example: 

@Beanpublic PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder();}@Beanpublic DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setPasswordEncoder(passwordEncoder()); provider.setUserDetailsService(userDetailsService); return provider;} 

This configuration creates a BCryptPasswordEncoder bean and sets it as the password encoder for a DaoAuthenticationProvider. The DaoAuthenticationProvider is then used to authenticate users by comparing their raw passwords (supplied at login) with the hashed versions stored in the database. 

In addition to password hashing, Spring Security also provides support for encrypting data using the Encryptors utility class and the TextEncryptor interface. The Encryptors class provides static methods for creating TextEncryptor instances using various encryption algorithms, such as AES and Blowfish. The TextEncryptor interface defines methods for encrypting and decrypting text. 

You can use the Encryptors and TextEncryptor classes to encrypt and decrypt sensitive data, such as passwords or API keys, that you need to store in your application. For example: 

TextEncryptor encryptor = Encryptors.text("password", "salt");String encryptedText = encryptor.encrypt("secret message");String decryptedText = encryptor.decrypt(encryptedText); 

This example creates an AES-based TextEncryptor using the specified password and salt and then uses it to encrypt and decrypt a message. 

To integrate Spring Security with LDAP for authentication, you can follow these steps: 

Add the Spring Security LDAP dependency to your project. 

Configure Spring Security in your application by adding a WebSecurityConfigurerAdapter and overriding the configure(HttpSecurity http) method. 

In the configure method, specify the URL patterns that you want to secure and the authentication rules for those patterns. For example, you might use http.antMatcher("/login").formLogin().permitAll() to allow all users to access the /login endpoint. 

Configure an authentication manager and specify the LDAP authentication provider. You can do this using the ldapAuthentication() method of the HttpSecurity object. For example: 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://ldap.example.com:389/dc=example,dc=com") .and() .passwordCompare() .passwordEncoder(new BCryptPasswordEncoder()) .passwordAttribute("userPassword");} 

This configuration sets up an LDAP authentication provider that uses the specified LDAP server and searches base to authenticate users. It also specifies the pattern for constructing the user DN and the attribute that contains the user's password. 

(Optional) If you want to use LDAP for authorization as well as authentication, you can configure the LDAP authentication provider to retrieve the user's groups from LDAP and use those groups to grant or deny access to resources. You can do this using the ldapAuthorities() method of the HttpSecurity object. For example: 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .ldapAuthentication() // ... .and() .ldapAuthorities() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://ldap.example.com:389/dc=example,dc=com");} 

This configuration sets up an LDAP authorities provider that retrieves the user's groups from LDAP and uses those groups to determine the user's permissions. You can then use Spring Security's built-in authorization mechanisms, such as hasRole() or hasAuthority(), to specify the permissions required to access particular resources. 

Note that the configuration of the LDAP authentication provider and the LDAP authorities provider can be combined into a single ldapAuthentication() method call if desired. 

To configure Spring Security to use multiple authentication providers, you can use the authenticationProvider method of the HttpSecurity object to register multiple AuthenticationProvider instances. 

For example: 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .authenticationProvider(ldapAuthenticationProvider()) .authenticationProvider(databaseAuthenticationProvider()) .formLogin() .permitAll();}@Beanpublic AuthenticationProvider ldapAuthenticationProvider() { // configure and return LDAP authentication provider}@Beanpublic AuthenticationProvider databaseAuthenticationProvider() { // configure and return database authentication provider} 

In this example, the HttpSecurity object is configured with two AuthenticationProvider instances: an LDAP authentication provider and a database authentication provider. The formLogin() method is used to enable form-based login, which allows the user to choose which provider they want to use to log in. 

Spring Security will iterate through the registered AuthenticationProvider instances and use the first one that supports the authentication request to authenticate the user. If none of the providers are able to authenticate the user, the request will be rejected. 

You can also use the authenticationProvider method to specify the order in which the providers should be tried. The first provider that is registered will be tried first, followed by the second provider, and so on. 

You can use multiple authentication providers to support different authentication methods, such as LDAP, database, and two-factor authentication, or delegate to different authentication systems depending on the user's role or location. 

A staple in senior Spring Boot Security interview questions with answers, be prepared to answer this one using your hands-on experience. This is also one of the top interview questions to ask a Spring Security engineer.

To secure a Single Page Application (SPA) using Spring Security, you can use the following approach: 

Add the Spring Security dependency to your project. 

Configure Spring Security in your application by adding a WebSecurityConfigurerAdapter and overriding the configure(HttpSecurity http) method. 

In the configure method, specify the URL patterns that you want to secure and the authentication and authorization rules for those patterns. For example, you might use http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() to require authentication for all requests to the /api endpoint. 

(Optional) If you want to use JSON Web Tokens (JWTs) to authenticate your SPA, you can use the spring-security-jwt library to create and verify JWTs. 

In your SPA, use JavaScript to handle the login process and to send authenticated requests to the server. You can use the Authorization header or a custom request parameter to pass the JWT with each request. 

Here is an example configuration that secures a SPA using Spring Security and JWTs: 

@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .cors().and() .csrf().disable() .antMatcher("/api/**") .authorizeRequests() .anyRequest().authenticated() .and() .addFilter(new JwtAuthenticationFilter(authenticationManager())) .addFilter(new JwtAuthorizationFilter(authenticationManager(), this.userRepository)) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } // ...} 

 This configuration enables Spring Security and disables CSRF protection and session management. It also defines a custom authentication filter that uses JWTs to authenticate requests. 

In your SPA, you can use JavaScript to handle the login process and send authenticated requests to the server. For example: 

function login(username, password) { return fetch("/login", { method: "POST", body: JSON.stringify({ 

To customize the login process in Spring Security, you can do one or more of the following: 

Use a custom AuthenticationSuccessHandler to handle successful login attempts. An AuthenticationSuccessHandler is a component that is called by Spring Security after a successful login to decide where to redirect the user. You can create a custom AuthenticationSuccessHandler by implementing the AuthenticationSuccessHandler interface and providing a custom onAuthenticationSuccess method. 

Use a custom AuthenticationFailureHandler to handle failed login attempts. An AuthenticationFailureHandler is a component that is called by Spring Security after a failed login to decide what to do. You can create a custom AuthenticationFailureHandler by implementing the AuthenticationFailureHandler interface and providing a custom onAuthenticationFailure method. 

Use a custom AuthenticationProvider to authenticate the user. An AuthenticationProvider is a component that is responsible for verifying the user's credentials and returning an Authentication object if the credentials are valid. You can create a custom AuthenticationProvider by implementing the AuthenticationProvider interface and providing a custom authenticate method. 

Use a custom UserDetailsService to load the user's details. A UserDetailsService is a component that is responsible for loading the user's details (such as the user's authorities and password) from a data store. You can create a custom UserDetailsService by implementing the UserDetailsService interface and providing a custom loadUserByUsername 

To implement role-based access control (RBAC) in Spring Security, you can do the following: 

Define the roles that you want to use in your application. A role represents a set of permissions that a user can have. You can define roles in a configuration file, in a database, or in another store. 

Assign roles to users. You can assign roles to users by storing the roles in a database or in another store and linking the roles to the users. 

Configure Spring Security to use your roles for authorization. In your Spring Security configuration, use the hasRole or hasAuthority methods of the HttpSecurity object to specify the permissions required to access particular resources. For example: 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/user/**").hasAnyRole("ADMIN", "USER") .anyRequest().permitAll();} 

This configuration requires the ADMIN role for access to the /admin endpoint and either the ADMIN or USER role for access to the /user endpoint. All other requests are allowed without requiring any particular role. 

You can also use the @PreAuthorize and @PostAuthorize annotations on your controller methods to specify the permissions required to invoke the method. For example: 

@PreAuthorize("hasRole('ADMIN')")@GetMapping("/admin/users")public List<User> getUsers() { // ...} 

This method will only be accessible to users with the ADMIN role. 

You can also use the @RolesAllowed annotation to specify the required roles, but this annotation is deprecated in favor of the @PreAuthorize and @PostAuthorize annotations. 

To use Spring Security to secure a method-level in a Spring MVC application, you can use the @PreAuthorize and @PostAuthorize annotations to specify the required permissions for the method. 

The @PreAuthorize annotation is used to check the permissions before the method is invoked, while the @PostAuthorize annotation is used to check the permissions after the method is invoked. 

For example: 

@PreAuthorize("hasRole('ADMIN')")@PostAuthorize("returnObject.owner == authentication.name or hasRole('ADMIN')")@GetMapping("/users/{id}")public User getUser(@PathVariable Long id) { // ...} 

This method will only be accessible to users with the ADMIN role or to users who are the owner of the object returned by the method. The authentication object represents the authenticated principal, while the returnObject variable represents the object returned by the method. 

You can also use the @RolesAllowed annotation to specify the required roles, but this annotation is deprecated in favor of the @PreAuthorize and @PostAuthorize annotations. 

Note that you need to have Spring Security configured in your application for the @PreAuthorize and @PostAuthorize annotations to work. You can configure Spring Security using a WebSecurityConfigurerAdapter and override the configure(HttpSecurity http) method. 

To use Spring Security to perform authentication and authorization in a microservices architecture, you can do the following: 

Use JSON Web Tokens (JWTs) to pass the authenticated user's information between microservices. A JWT is a JSON object that is signed and optionally encrypted to ensure its authenticity and integrity. You can use the spring-security-jwt library to create and verify JWTs. 

In each microservice, configure Spring Security to validate the JWT and extract the user's information from it. You can use the JwtAuthenticationFilter provided by the spring-security-jwt library to do this. 

In each microservice, use the @PreAuthorize and @PostAuthorize annotations or the HttpSecurity object's authorization methods (such as hasRole or hasAuthority) to specify the required permissions for each protected resource. 

In each microservice, use a common set of roles or authorities to ensure consistent authorization across the microservices. You can store the roles or authorities in a database or in another store and link them to the users. 

Here is an example configuration that secures a microservice using Spring Security and JWTs: 

@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .cors().and() .csrf().disable() .authorizeRequests() .anyRequest().authenticated() .and() .addFilter(new JwtAuthenticationFilter(authenticationManager())) .addFilter(new JwtAuthorizationFilter(authenticationManager())) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } // ...} 

This configuration enables Spring Security and disables CSRF protection and session management. It also defines a custom authentication filter that uses JWTs to authenticate requests. 

You can then use the @PreAuthorize and @PostAuthorize annotations or the HttpSecurity object's authorization methods to specify the required permissions for each protected resource. 

To use Spring Security to authenticate users against a database, you can do the following: 

1. Create a database table to store the users' credentials (such as their usernames and password).

2. Create a UserDetailsService implementation to load the user's credentials from the database. A UserDetailsService is a component that is responsible for loading the user's details (such as the user's authorities and password) from a data store. You can create a custom UserDetailsService by implementing the UserDetailsService interface and providing a custom loadUserByUsername method.

@Servicepublic class CustomUserDetailsService implements UserDetailsService { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username); if (user == null) { throw new UsernameNotFoundException("User not found"); } List<GrantedAuthority> authorities = user.getRoles().stream() .map(role -> new SimpleGrantedAuthority(role.getName())) .collect(Collectors.toList()); return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), authorities); }} 

3. Configure Spring Security to use your UserDetailsService implementation. You can do this in your Spring Security configuration by overriding the configure(AuthenticationManagerBuilder auth) method and calling the userDetailsService method.

@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserDetailsService);} 

Configure Spring Security to use form-based login. In your Spring Security configuration, use the formLogin method of the HttpSecurity object to enable form-based login. You can also customize the login process by providing a custom AuthenticationSuccessHandler and/or AuthenticationFailureHandler. 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .formLogin() .loginPage("/login") .defaultSuccessUrl("/home") .failureUrl("/login?error=true") .permitAll();} 

This configuration enables form-based login 

To use Spring Security to implement Remember Me functionality, you can do the following: 

Configure Spring Security to use form-based login. In your Spring Security configuration, use the formLogin method of the HttpSecurity object to enable form-based login. 

Add a Remember Me checkbox to the login form. 

When the user logs in, check the value of the Remember Me checkbox and set the remember-me parameter of the UsernamePasswordAuthenticationFilter accordingly. You can do this by adding a custom filter to the filter chain and setting the remember-me parameter in the doFilter method. 

public class RememberMeFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String rememberMe = request.getParameter("remember-me"); if (rememberMe != null) { request.setAttribute("remember-me", rememberMe); } filterChain.doFilter(request, response); }} 

Configure the UsernamePasswordAuthenticationFilter to use the remember-me parameter to determine whether to create a persistent token. You can do this by setting the tokenValiditySeconds property of the UsernamePasswordAuthenticationFilter to a non-zero value. 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .addFilter(new RememberMeFilter()) .formLogin() .loginPage("/login") .defaultSuccessUrl("/home") .failureUrl("/login?error=true") .permitAll() .and() .rememberMe() .tokenValiditySeconds(3600);} 

This configuration enables form-based login and sets the tokenValiditySeconds property of the UsernamePasswordAuthenticationFilter to 3600 seconds (1 hour). If the remember-me parameter is set to "true", the UsernamePasswordAuthenticationFilter will create a persistent token that is valid for 1 hour. 

Store the persistent tokens in a database or in another store. You can use the PersistentTokenRepository interface to store and retrieve the tokens. Spring Security provides a default implementation of this interface that uses a database to store the tokens. 

@Beanpublic PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl(); tokenRepository.setDataSource(dataSource); 

To use Spring Security to integrate with a third-party authentication provider such as Google or Facebook, you can do the following: 

Create a developer account with the third-party provider and create a new app. This will give you a client ID and a client secret that you can use to authenticate your app with the provider. 

Add the Spring Security OAuth2 client dependency to your project. 

Configure the client ID and client secret in your Spring Security configuration. You can do this by adding a ClientRegistrationRepository bean to your configuration and registering the client ID and client secret as a ClientRegistration object. 

@Beanpublic ClientRegistrationRepository clientRegistrationRepository() { List<ClientRegistration> registrations = List.of( googleClientRegistration(), facebookClientRegistration() ); return new InMemoryClientRegistrationRepository(registrations);}private ClientRegistration googleClientRegistration() { return CommonOAuth2Provider.GOOGLE.getBuilder("google") .clientId("your-client-id") .clientSecret("your-client-secret") .build();}private ClientRegistration facebookClientRegistration() { return CommonOAuth2Provider.FACEBOOK.getBuilder("facebook") .clientId("your-client-id") .clientSecret("your-client-secret") .build();} 

@Beanpublic ClientRegistrationRepository clientRegistrationRepository() { List<ClientRegistration> registrations = List.of( googleClientRegistration(), facebookClientRegistration() ); return new InMemoryClientRegistrationRepository(registrations);}private ClientRegistration googleClientRegistration() { return CommonOAuth2Provider.GOOGLE.getBuilder("google") .clientId("your-client-id") .clientSecret("your-client-secret") .build();}private ClientRegistration facebookClientRegistration() { return CommonOAuth2Provider.FACEBOOK.getBuilder("facebook") .clientId("your-client-id") .clientSecret("your-client-secret") .build();} 

To use Spring Security to secure WebSockets in a Spring Boot application, you can do the following: 

Add the Spring Security dependency to your project. 

Configure Spring Security to use form-based login. In your Spring Security configuration, use the formLogin method of the HttpSecurity object to enable form-based login. 

Configure Spring Security to require authentication for WebSocket connections. In your Spring Security configuration, use the .apply(new WebSocketSecurityConfigurer()) method to configure WebSocket security. 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .formLogin() .loginPage("/login") .defaultSuccessUrl("/home") .failureUrl("/login?error=true") .permitAll() .and() .apply(new WebSocketSecurityConfigurer()) .permitAll();} 

This configuration enables form-based login and allows all WebSocket connections. 

If you want to restrict access to certain WebSocket destinations, you can use the .withSockJS() method to specify the allowed destinations. 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .formLogin() .loginPage("/login") .defaultSuccessUrl("/home") .failureUrl("/login?error=true") .permitAll() .and() .apply(new WebSocketSecurityConfigurer()) .permitAll() .withSockJS() .pathMapping("/ws", "/ws-secured");} 

This configuration allows all WebSocket connections to the /ws destination but requires authentication for the /ws-secured destination. 

If you want to use a different authentication mechanism for WebSockets (such as JWT-based authentication), you can implement a custom WebSocketAuthenticationConfigurer and use it to configure the authentication mechanism. 

public class JwtWebSocketAuthenticationConfigurer extends WebSocketAuthenticationConfigurer { @Override} 

This, along with other interview questions on Spring Security for freshers, is a regular feature in Spring Security interviews, be ready to tackle it with the approach mentioned.

To use Spring Security to perform two-factor authentication (2FA), you can do the following: 

Add the Spring Security OTP (one-time password) dependency to your project. 

Configure Spring Security to use form-based login. In your Spring Security configuration, use the formLogin method of the HttpSecurity object to enable form-based login. 

Enable 2FA in your Spring Security configuration by adding the .otp() method and specifying the OTP delivery method (such as email or SMS) 

@Overrideprotected void configure(HttpSecurity http) throws Exception { http .formLogin() .loginPage("/login") .defaultSuccessUrl("/home") .failureUrl("/login?error=true") .permitAll() .and() .otp() .deliveryMethod(DeliveryMethod.EMAIL) .mail() .host("smtp.gmail.com") .port(587) .username("your-email@gmail.com") .password("your-email-password") .and() .enabled(true);} 

This configuration enables form-based login and 2FA using email as the OTP delivery method. 

To use Spring Security to implement a custom authentication mechanism, you can do the following:

Create a custom AuthenticationProvider implementation to handle the authentication process. An AuthenticationProvider is a component that is responsible for verifying the authenticity of an Authentication object. You can create a custom AuthenticationProvider by implementing the AuthenticationProvider interface and providing a custom authenticate method.

@Componentpublic class CustomAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = authentication.getName(); String password = authentication.getCredentials().toString(); // Verify the username and password if (isValid(username, password)) { List<GrantedAuthority> authorities = new ArrayList<>(); // Add the authorities for the authenticated user return new UsernamePasswordAuthenticationToken(username, password, authorities); } else { throw new BadCredentialsException("Invalid username or password"); } } @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); }} 

Configure Spring Security to use your custom AuthenticationProvider implementation. You can do this in your Spring Security configuration by overriding the configure(AuthenticationManagerBuilder auth) method and calling the authenticationProvider method.

@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(customAuthenticationProvider);} 

Configure Spring Security to use a custom login form and process. In your Spring Security configuration, use the formLogin method of the HttpSecurity object to enable form-based login and customize the login