Spring Security for Interviews

Understand how Spring Security bridges the Servlet container and Spring context using filter proxies — architecture questions are the primary differentiator between junior and senior security interviews.

• DelegatingFilterProxy: bridges the Servlet container and Spring application context for security

• FilterChainProxy: central component that manages and delegates to multiple SecurityFilterChains

• SecurityContextHolder: stores the Authentication object for the duration of the current request

• SecurityContext lifecycle: created at request start, cleared at request end to prevent memory leaks

• Authentication object: holds principal, credentials, and granted authorities

• AuthenticationManager: orchestrates the authentication process by delegating to AuthenticationProviders

• ProviderManager: default AuthenticationManager implementation supporting multiple providers

• AuthenticationProvider: performs actual credential verification (e.g., DaoAuthenticationProvider)

• UserDetailsService: loads user-specific data from a data source by username

• PasswordEncoder: required for encoding and verifying passwords securely in modern Spring Security

Configure security rules using HttpSecurity DSL, manage multiple filter chains, and control filter execution order — filter chain configuration is tested in every Spring Security interview.

• HttpSecurity builder: DSL for defining security rules using modern lambda-based configuration

• SecurityFilterChain bean: replaces the deprecated WebSecurityConfigurerAdapter in modern Spring Security

• requestMatchers: scopes a SecurityFilterChain to specific URL patterns

• Multiple filter chains: handle different security requirements for API and Web UI with @Order

• Request matcher ordering: specific matchers must be placed before general ones like anyRequest()

• Filter execution order: custom filters positioned relative to UsernamePasswordAuthenticationFilter

• addFilterBefore / addFilterAfter: API for inserting custom filters at specific positions in the chain

• permitAll() vs authenticated(): granting public access vs requiring authentication on matched paths

• CSRF configuration: disable for stateless REST APIs, keep enabled for session-based web UIs

• CORS configuration: configure allowed origins, methods, and headers for cross-origin requests

Implement production-grade JWT authentication for stateless REST APIs — JWT filter implementation and session management are the most commonly tested topics in modern Spring Security interviews.

• Stateless session management: SessionCreationPolicy.STATELESS disables server-side session creation

• JWT filter placement: custom JWT filter must run before UsernamePasswordAuthenticationFilter

• JWT validation filter: parses Authorization header, validates signature, and populates SecurityContext

• Token signing: HMAC (symmetric) vs RSA (asymmetric) signing strategies and their trade-offs

• Token lifecycle: expiration (exp claim), refresh token strategy, and token revocation challenges

• Populating SecurityContext: create UsernamePasswordAuthenticationToken and set it in SecurityContextHolder

• JWT secret key: should be externalized to config, never hardcoded in source code

• Token refresh flow: short-lived access tokens paired with longer-lived refresh tokens

• Stateless vs stateful: JWT avoids server-side session storage but cannot be invalidated before expiry

• OncePerRequestFilter: base class for JWT filters ensuring they execute exactly once per request

Apply role-based and expression-based access control at the URL and method level — authorization questions including @PreAuthorize, SpEL, and the ROLE_ prefix trap are staples of senior interviews.

• Roles vs authorities: hasRole("ADMIN") auto-adds ROLE_ prefix, hasAuthority("ROLE_ADMIN") does not

• ROLE_ prefix trap: hasRole("ROLE_ADMIN") incorrectly looks for "ROLE_ROLE_ADMIN"

• @EnableMethodSecurity: enables @PreAuthorize, @PostAuthorize, and @Secured annotations

• @PreAuthorize: evaluates SpEL expression before method executes

• @PostAuthorize: evaluates SpEL expression after method returns, can filter return value

• @Secured: simpler annotation for role-based method security without SpEL

• Self-invocation bypass: calling a @PreAuthorize method from the same class skips the AOP proxy

• SpEL expressions: authentication.name, hasRole(), hasAnyAuthority(), and #param access

• Fine-grained access: @PreAuthorize("@myBean.canAccess(#id)") for custom authorization logic

• GrantedAuthority: interface representing a permission granted to an Authentication principal

Handle authentication and authorization failures with custom entry points and access denied handlers — security exception configuration is tested to distinguish candidates who understand 401 vs 403 semantics.

• AuthenticationEntryPoint: handles 401 Unauthorized — "I don't know who you are"

• AccessDeniedHandler: handles 403 Forbidden — "I know who you are but you can't do this"

• Custom JSON responses: returning structured error responses instead of default HTML error pages

• ExceptionTranslationFilter: catches AuthenticationException and AccessDeniedException in the chain

• CSRF protection: enabled by default, should be disabled for stateless REST APIs

• CSRF token: synchronizer token pattern validates that state-changing requests originate from the app

• Security headers: X-Content-Type-Options, X-Frame-Options, and HSTS configured automatically

• Content Security Policy: additional header to prevent XSS, configured via headers().contentSecurityPolicy()

• PasswordEncoder requirement: plain text passwords cause authentication failure in modern Spring Security

• {noop} prefix: testing-only way to use plain text passwords, never for production use