{"id":3978,"date":"2020-10-04T04:52:13","date_gmt":"2020-10-04T04:52:13","guid":{"rendered":"https:\/\/codethataint.com\/blog\/?p=3978"},"modified":"2021-04-13T11:24:12","modified_gmt":"2021-04-13T11:24:12","slug":"spring-security-interview","status":"publish","type":"post","link":"https:\/\/codethataint.com\/blog\/spring-security-interview\/","title":{"rendered":"Spring Security Interview"},"content":{"rendered":"
    \n
  1. What is the difference between FormBased and BasicAuth?<\/strong>
    \nThe Difference between FormAuth and BasicAuth is in BasicAuth UserName and Password would be sent everytime when making a request to the server in the header as base64 encoded character. BasicAuth happens at http Protocol level where as Formbased Auth happens at Framework level.\n<\/li>\n
  2. What is the difference between JKS and PKCS12?<\/strong>
    \nJKS is the most common if you stay within the Java world. PKCS#12 isn’t Java-specific, it’s particularly convenient to use certificates (with private keys) backed up from a browser or coming from OpenSSL-based tools.JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it’s a Java specific keystore, so it cannot be used in other programming languages.PKCS12, this is a standard keystore type which can be used in Java and other languages. You can find this keystore implementation at sun.security.pkcs12.PKCS12KeyStore. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type.<\/p>\n<\/li>\n
  3. \nHow safe is Userid and Password in Basic Auth?<\/strong>
    \nUserId and Password in BasicAuth would transferred using base64 encoded UserName and Password attached to Header prepending Basic<\/p>\n
    \r\nAuthorization : Basic base64(UserId:Password)\r\n<\/pre>\n<\/li>\n
  4. How POST, PUT and DELETE works in Basic Auth?<\/strong>
    \nIn Basic Auth with respect to Spring Security CSRF Token would be used incase CSRF is enabled. If CSRF is disabled Authorization in header would be used
    \nfor access. csrf().disable()<\/em> should be always used incase you are using other than GET method.\n<\/li>\n
  5. What is JSESSIONID?<\/strong>
    \nJSESSIONID which is generated and Stored as Cookie in Postman helps the spring boot app to recognizane whether the User is Authenticated or not.\n<\/li>\n
  6. How Spring Security handles CSRF in client Side when enabled?<\/strong>
    \nSpring Security generates JSESSIONID  and XSRF-TOKEN. Both were Set in Cookie. On Subsequent request X-XSRF-TOKEN should be sent in Header for Authorization.\n<\/li>\n
  7. What happens when I delete XSRF token in Cookie?<\/strong>
    \nNew Token would be generated based on JSESSIONID in cookie\n<\/li>\n
  8. What happens when I delete XSRF token and in Cookie and try POST, DELETE and PUT over API?<\/strong>
    \nNew JSESSIONID would be generated and placed in cookie. For this X-XSRF-TOKEN should be passed in header.\n<\/li>\n
  9. Where is JSESSION stored?<\/strong>
    \nJSESSION is session ID which is stored in Inmemory Database in Server and in a Cookie in Client Side.\n<\/li>\n
  10. What is the default Expiration time of JSESSION Cookie?<\/strong>
    \n30 Minutes\n<\/li>\n
  11. Spring Security Arcitecture?<\/strong>
    \n\"\"\n<\/li>\n
  12. Encoding vs Encrytion vs Hashing?<\/strong>
    \nEncoding <\/strong>refers to any transformation of a given input. For example, if we have a function x that reverses a string, function x -> y applied to ABCD produces DCBA.<\/p>\n
    \r\nx -> y\r\n<\/pre>\n
    Encryption<\/strong> is a particular type of encoding where, to obtain the output, you provide both the input value and a key. The key makes it possible for choosing afterward who should be able to reverse the function (obtain the input from the output). The simplest form of representing encryption as a function looks like this:<\/p>\n
    \r\n(x, k) -> y\r\n<\/pre>\n
    where x is the input, k is the key, and y is the result of the encryption. This way, an individual knows the key can use a known function to obtain the input from the output (y, k) -> x. We call this reverse function decryption. If the key used for encryption is the same as the one used for decryption, we usually call it a symmetric key<\/strong>.If we have two different keys for encryption ((x, k1) -> y) and decryption ((y,k2) -> x), then we say that the encryption is done with asymmetric keys<\/strong>. Then (k1,k2) is called a key pair<\/strong>. The key used for encryption, k1, is also referred to as the public key, while k2 is known as the private one. This way, only the owner of the private key can decrypt the data. <\/p>\n
    Hashing <\/strong>is a particular type of encoding, except the function is only one way. That is,from an output y of the hashing function, you cannot get back the input x. However,there should always be a way to check if an output y corresponds to an input x, so we can understand the hashing as a pair of functions for encoding and matching. If hashing is x -> y, then we should also have a matching function (x,y) ->boolean. <\/p>\n
    \r\n(x,y) ->boolean\r\n<\/pre>\n
    Sometimes the hashing function could also use a random value added to the input:
    \n(x, k) -> y. We refer to this value as salt<\/strong>. The salt makes the function stronger, enforcing the difficulty of applying a reverse function to obtain the input from the
    \nresult.<\/p>\n
  13. Two ways of Configuring Spring Security?<\/strong>
    \nMethod 1: Adding userservice and passwordEncoder in configure method(Not Recommended)<\/p>\n
    \r\n@Configuration\r\npublic class ProjectConfig extends WebSecurityConfigurerAdapter {\r\n    @Override\r\n    protected void configure(AuthenticationManagerBuilder auth) throws Exception {\r\n        auth.inMemoryAuthentication()\r\n                .withUser("john")\r\n                .password("12345")\r\n                .authorities("read")\r\n                .and()\r\n                .passwordEncoder(NoOpPasswordEncoder.getInstance());\r\n    }\r\n}\r\n<\/pre>\n
    Method 2: Using Seperate Configuration class for Bean and injecting beans(Recommended Method)
    \nPasswordConfig.java<\/strong><\/p>\n
    \r\n@Configuration\r\npublic class PasswordConfig {\r\n    @Bean\r\n    public PasswordEncoder passwordEncoder()\r\n    {\r\n        return new BCryptPasswordEncoder(10);\r\n    }\r\n}\r\n<\/pre>\n
    ApplicationSecurityConfig.java<\/strong><\/p>\n
    \r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n   @Autowired\r\n   private PasswordEncoder passwordEncoder; \r\n \r\n    @Override\r\n    @Bean\r\n    protected UserDetailsService userDetailsService() {\r\n\t   UserDetails mugilUsrBuilder = User.builder()\r\n\t\t\t   .username("Mugil")\r\n\t\t\t   .password(this.passwordEncoder.encode("password"))\r\n\t\t\t   .roles("ADMIN")\r\n\t\t\t   .build();\r\n \r\n\t   return new InMemoryUserDetailsManager(mugilUsrBuilder);\r\n    }\r\n\r\n \r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.csrf().disable()\r\n                     .authorizeRequests()\r\n                     \/\/Whitelisting URLS\r\n                    .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll()\r\n                    .antMatchers(HttpMethod.GET,"\/api\/**").permitAll()\r\n                    .antMatchers(HttpMethod.DELETE,"\/api\/**").hasRole("ADMIN")\r\n                    .antMatchers(HttpMethod.PUT,"\/api\/**").hasRole("ADMIN")\r\n                    .antMatchers(HttpMethod.POST,"\/api\/**").hasRole("ADMIN")\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n<\/li>\n
  14. What are the interface methods available in Spring Security?
    \n\n\n\n\n\n\n
    UserDetailsManager<\/td>\n\n
    public interface UserDetailsManager extends UserDetailsService {\r\nvoid createUser(UserDetails user);\r\nvoid updateUser(UserDetails user);\r\nvoid deleteUser(String username);\r\nvoid changePassword(String oldPassword, String newPassword);\r\nboolean userExists(String username);\r\n}<\/pre>\n<\/td>\n<\/tr>\n
    UserDetailsService<\/td>\n\n
    public interface UserDetailsService {\r\nUserDetails loadUserByUsername(String username)\r\nthrows UsernameNotFoundException;\r\n}<\/pre>\n<\/td>\n<\/tr>\n
    UserDetails<\/td>\n\n
    public interface UserDetails extends Serializable {\r\nString getUsername();\r\nString getPassword();\r\nCollection<? extends GrantedAuthority>\r\n\u27a5getAuthorities();\r\nboolean isAccountNonExpired();\r\nboolean isAccountNonLocked();\r\nboolean isCredentialsNonExpired();\r\nboolean isEnabled();\r\n}<\/pre>\n<\/td>\n<\/tr>\n
    AuthenticationProvider<\/td>\n\n
    public interface AuthenticationProvider {\r\nAuthentication authenticate(Authentication authentication)\r\nthrows AuthenticationException;\r\nboolean supports(Class<?> authentication);\r\n}<\/pre>\n<\/td>\n<\/tr>\n
    Authentication<\/td>\n\n
    public interface Authentication extends Principal, Serializable {\r\nCollection<? extends GrantedAuthority> getAuthorities();\r\nObject getCredentials();\r\nObject getDetails();\r\nObject getPrincipal();\r\nboolean isAuthenticated();\r\nvoid setAuthenticated(boolean isAuthenticated)\r\nthrows IllegalArgumentException;\r\n}<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
    What is the difference between FormBased and BasicAuth? The Difference between FormAuth and BasicAuth is in BasicAuth UserName and Password would be sent everytime when making a request to the server in the header as base64 encoded character. BasicAuth happens at http Protocol level where as Formbased Auth happens at Framework level. What is the… Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[326],"tags":[],"class_list":["post-3978","post","type-post","status-publish","format-standard","hentry","category-interview-questions-spring-security"],"_links":{"self":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/comments?post=3978"}],"version-history":[{"count":5,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3978\/revisions"}],"predecessor-version":[{"id":4221,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3978\/revisions\/4221"}],"wp:attachment":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/media?parent=3978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/categories?post=3978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/tags?post=3978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}