Spring Security Interview Questions & Answers

  1. Question 1. What Is The Delegating Filter Proxy?

    Answer :

    Spring’s DelegatingFilterProxy provides the link between web.xml and the application context. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces.





  2. Question 2. What Is The Security Filter Chain?

    Answer :

    In Spring Security you have a lot of filters for web application and these filters are Spring Beans. Each Spring security filter bean that require in your application you have to declare in your application context file and as we know that filters would be applied to application only when they would be declared on web.xml. Now DelegatingFilterProxy comes into picture for delegating the request to fillter which declared into application context file by adding a corresponding DelegatingFilterProxy entry to web.xml for each filter and we have to make sure about ordered, it should be define correctly, but this would be cumbersome and would clutter up the web.xml file quickly if you have a lot of filters. FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans.



    HTML 5 Interview Questions

  3. Question 3. What Is Mandatory Filter Name Main Purpose?

    Answer :

    • SecurityContextIntegrationFilter – Establishes SecurityContext and maintains between HTTP requests
    • LogoutFilter – Clears SecurityContextHolder when logout requested
    • UsernamePasswordAuthenticationFilter – Puts Authentication into the SecurityContext on login request
    • ExceptionTranslationFilter – Converts SpringSecurity exceptions into HTTP response or redirect
    • FilterSecurityInterceptor – Authorizes web requests based on on config attributes and authorities
  4. Question 4. Are You Able To Add And/or Replace Individual Filters?

    Answer :

    Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required.

  5. HTML 5 Tutorial

  6. Question 5. Is It Enough To Hide Sections Of My Output (e.g. Jsp-page)?

    Answer :

    No, because we cannot readily reverse engineer what URL is mapped to what controller endpoint as controllers can rely on headers, current user, etc to determine what method to invoke.

    JSP Tag Libraries- Spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs.

  7. Core Java Interview Questions

  8. Question 6. Why Do You Need The Intercept-url?

    Answer :

    intercept-url element is used to define the set of URL patterns that the application is interested in and to configure how they should be handled.

  9. Question 7. In Which Order Do You Have To Write Multiple Intercept-url’s?

    Answer :

    When matching the specified patterns defined by element intercept-url against an incoming request, the matching is done in the order in which the elements are declared. So the most specific patterns should come first and the most general should come last.

  10. Core Java Tutorial
    AJAX Interview Questions

  11. Question 8. Why Do You Need Method Security? What Type Of Object Is Typically Secured At The Method Level.

    Answer :

    • Spring Security uses AOP for security at the method level
    • annotations based on Spring annotations or JSR-250 annotations
    • Java configuration to activate detection of annotations
    • It typically secure your services
    • Do not access repositories directly, bypasses security (and transactions)
  12. Question 9. Is Security A Cross Cutting Concern? How Is It Implemented Internally?

    Answer :

    Yes, Spring Security is a cross cutting concern. Spring security is also using Spring AOP internally.

  13. Java-Springs Interview Questions

  14. Question 10. What Do @secured And @rolesallowed Do? What Is The Difference Between Them?

    Answer :

    @Secured and @RolesAllowed both annotation provide method level security in to Spring Beans. @Secured is Spring Security annotation from version 2.0 onwards Spring Security. But @RolesAllowed is JSR 250 annoatation. Spring Security provides the support for JSR 250 annotation as well for method level security. @RolesAllowed provides role based security only.

  15. AJAX Tutorial

  16. Question 11. What Is A Security Context?

    Answer :

    Security context in Spring Security includes details of the principal currently using the application. Security context is always available to methods in the same thread of execution, even if the security context is not explicitly passed around as an argument to those methods.

  17. Hibernate Interview Questions

  18. Question 12. How Is A Principal Defined?

    Answer :

    Inside the SecurityContextHolder we store details of the principal currently interacting with the application. Spring Security uses an Authentication object to represent this information.

    Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

    if (principal instanceof UserDetails) {

    String username = ((UserDetails)principal).getUsername();

    } else {

    String username = principal.toString();


  19. HTML 5 Interview Questions

  20. Question 13. What Is Authentication And Authorization? Which Must Come First?

    Answer :

    Authentication – Establishing that a principal’s credentials are valid

    Authorization – Deciding if a principal is allowed to perform an action

    Authentication comes first before Authorization because authorization process needs princial object with authority votes to decide user allow to perform a action for secured resource.

  21. Java-Springs Tutorial

  22. Question 14. In Which Security Annotation Are You Allowed To Use Spel?

    Answer :

    They are @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter. These annotations support expression attributes to allow pre and post-invocation authorization checks and also to support filtering of submitted collection arguments or return values

    Method security is a bit more complicated than a simple allow or deny rule. Spring Security 3.0 introduced some new annotations in order to allow comprehensive support for the use of expressions.


    public void create(Contact contact); 

  23. Question 15. Does Spring Security Support Password Hashing? What Is Salting?

    Answer :

    Yes, Spring Security provides support for password hashing. The salt is used to prevent dictionary attacks against the key in the event your encrypted data is compromised.

  24. JSTL(JSP Standard Tag Library) Interview Questions

  25. Question 16. Which Filter Class Is Needed For Spring Security?

    Answer :


  26. Hibernate Tutorial

  27. Question 17. What Are Access Controls In Spring Security?

    Answer :

    • To access the account list, you must be authenticated.
    • The files in the directory “/secure” should only be visible to authenticated users.
    • The files in the directory “/secure/extreme” should only be visible to Supervisors.
    • Withdrawal and deposits can be made only by Tellers and Supervisors.
    • Overdraft limit for an account can be exceeded only by Supervisors.
  28. Javascript Advanced Interview Questions

  29. Question 18. How To Restrict Static Resources Processed By Spring Security Filters?

    Answer :

    < http pattern="/static/**" security="none" / >

  30. Core Java Interview Questions

  31. Question 19. From The Applications Perspective, How Many User Roles Needed In Spring Security?

    Answer :

    Three user roles are there in spring.

    • Supervisors
    • Tellers
    • Plain Users
  32. Javascript Advanced Tutorial

  33. Question 20. Will Spring Security Secures All The Applications?

    Answer :

    No, in web application, we need to do some more things to secure full application to save from attackers.

  34. Spring MVC Framework Interview Questions

  35. Question 21. How To Add Security To Method Calls Made On Spring Beans In The Application Context?

    Answer :

    < global-method-security pre-post-annotations="enabled" / >

  36. Question 22. Which Java And Spring Version Are Needed For Spring Security?

    Answer :

    Spring security 3.0 and jdk 1.5.

  37. Spring MVC Framework Tutorial

  38. Question 23. What Are All Security Layers In Spring Security Framework?

    Answer :

    • Authentication:
    • Web request security
    • Service layer and domain object security
  39. Advanced jQuery Interview Questions

  40. Question 24. When I Login In The Application Where Spring Security Is Applied And Got The Messages “bad Credentials”. What Is Wrong?

    Answer :

    Authentication has failed for the given userid and password.

  41. AJAX Interview Questions

  42. Question 25. When I Try To Login, Application Goes In Endless Loop. What Is Wrong?

    Answer :

    It happens when login page is secured resource. Login page should not be secured, it should be marked as ROLE_ANONYMOUS.