Spring Security Test 2

    Question 1SPRING SECURITY - Code Snippet (AuthenticationProvider)

    What does the following custom `AuthenticationProvider` do?

    @Component
public class CustomAuthProvider implements AuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication authentication) {
        // custom logic
        return new UsernamePasswordAuthenticationToken("user", null, List.of());
    }
    @Override
    public boolean supports(Class<?> auth) {
        return auth.equals(UsernamePasswordAuthenticationToken.class);
    }
}

    Question 2SPRING SECURITY - Code Snippet (SecurityMatcher)

    What is the purpose of securityMatcher("/api/**") in a filter chain?

    @Bean
SecurityFilterChain apiChain(HttpSecurity http) throws Exception {
    return http
        .securityMatcher("/api/**")
        .authorizeHttpRequests()
        .anyRequest().authenticated()
        .and().build();
}

    Question 3SPRING SECURITY - Code Snippet (JWT Creation)

    What does this code do?

    String token = Jwts.builder()
        .setSubject("user123")
        .setExpiration(new Date(System.currentTimeMillis() + 3600000))
        .signWith(SignatureAlgorithm.HS256, secretKey)
        .compact();

    Question 4SPRING SECURITY - AccessDecisionManager

    Internally, what does `AccessDecisionManager` do?

    Question 5SPRING SECURITY - Code Snippet (AccessDeniedHandler)

    What does this configuration achieve?

    http
  .exceptionHandling()
  .accessDeniedHandler((req, res, ex) ->
      res.sendError(HttpServletResponse.SC_FORBIDDEN, "Not Authorized"));

    Question 6SPRING SECURITY - SecurityContextHolder

    What does `SecurityContextHolder` store during the request lifecycle?

    Question 7SPRING SECURITY - Filter Order

    How is the execution order of filters inside a SecurityFilterChain determined?

    Question 8SPRING SECURITY - Stateless vs Stateful Sessions

    What is the key difference between JWT-based stateless authentication and session-based authentication?

    Question 9SPRING SECURITY - Code Snippet (PostAuthorize)

    What does the following annotation achieve?

    @PostAuthorize("returnObject.owner == authentication.name")
public Account getAccount(Long id) { ... }

    Question 10SPRING SECURITY - Exception Translation Filter

    What is the purpose of ExceptionTranslationFilter in Spring Security’s filter chain?

    Question 11SPRING SECURITY - Code Snippet (Method Security)

    What happens when the following annotation is used?

    @PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long id) { ... }

    Question 12SPRING SECURITY - Code Snippet (PermitAll vs Authenticated)

    What is the outcome of this chain configuration?

    @Bean
SecurityFilterChain chain(HttpSecurity http) throws Exception {
    return http
        .authorizeHttpRequests()
        .requestMatchers("/public/**").permitAll()
        .anyRequest().authenticated()
        .and().build();
}

    Question 13SPRING SECURITY - Code Snippet (Filter Registration)

    Why is a JWT filter typically placed before UsernamePasswordAuthenticationFilter?

    http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);

    Question 14SPRING SECURITY - Hierarchical Roles

    If hierarchical roles are configured such that `ROLE_ADMIN > ROLE_USER`, what does it mean?

    Question 15SPRING SECURITY - Code Snippet (Custom Config)

    What does the following snippet configure?

    http
  .exceptionHandling()
  .authenticationEntryPoint(new CustomEntryPoint())
  .accessDeniedHandler(new CustomAccessDeniedHandler());

    Question 16SPRING SECURITY - PasswordEncoder

    Why is `PasswordEncoder` crucial in Spring Security’s internal authentication process?

    Question 17SPRING SECURITY - Multiple Chains Ordering

    How can you control the evaluation order of multiple SecurityFilterChain beans?

    Question 18SPRING SECURITY - JWT Expiration

    What happens when a JWT is expired?

    Question 19SPRING SECURITY - Code Snippet (Custom Access Expression)

    What does this expression check?

    @PreAuthorize("#username == authentication.name")
public void updateProfile(String username) { ... }

    Question 20SPRING SECURITY - Handling CSRF Exceptions

    Which exception is typically thrown when a CSRF token is missing or invalid in Spring Security?