Spring Security

Question 1

Illustrate the architecture of a servlet container

Answer 1

• Web server (hardware)
  
  • Servlet container (Tomcat)
    
    • Threads
    • Filter chain
      
      • Filters
      • Servlet

Question 2

What is a servlet container and what is it used for?

Answer 2

A servlet container is software used to manage threads, filters, and the servlet

Question 3

What is a servlet and what is it used for?

Answer 3

A servlet is a component of a servlet container used to handle HTTP requests and responses

Question 4

What is DelegatingFilterProxy and what is it used for?

Answer 4

DelegatingFilterProxy is a Spring Security class that implements a servlet filter and it is used to bridge the servlet container to Spring’s ApplicationContext so that beans can be used. DelegatingFilterProxy delegates to a single bean called FilterChainProxy which further delegates to SecurityFilterChain beans composed of many filter beans

Question 5

What is the entry point to Spring Security?

Answer 5

FilterChainProxy

Question 6

What are the main responsibilities of FilterChainProxy?

Answer 6

1. To determine which SecurityFilterChain bean should be used for an HTTP Request
2. Apply Spring Security’s HttpFirewall

Question 7

When is a user considered authenticated?

Answer 7

Whenever an Authentication object is added to the SecurityContext

Question 8

What are the 3 main methods of Authentication and what do they return?

Answer 8

• getPrincipal => Object (e.g. UserDetails)
• getCredentials => Object (e.g password)
• getAuthorities => Collection<? extends GrantedAuthority>

Question 9

What are the 2 roles of Authentication?

Answer 9

1. To serve as the input to the AuthenticationManager
2. To represent the currently authenticated user inside the SecurityContext

Question 10

What is the purpose of GrantedAuthority?

Answer 10

To provide a representation of an authority that has been granted to a user. GrantedAuthority only has 1 method: String getAuthority()

Question 11

What is the purpose of AuthenticationManager?

Answer 11

To process an Authentication request. It does so by delegating to ProviderManager

Question 12

What is the purpose of ProviderManager?

Answer 12

To implement AuthenticationManager. ProviderManager iterates through a list of AuthenticationProviders until it finds one that can process the Authentication object

Question 13

Give some examples of AuthenticationProvider

Answer 13

• DaoAuthenticationProvider
• JwtAuthenticationProvider

Question 14

What is the purpose of SecurityContextHolder?

Answer 14

To associate the SecurityContext with the current thread of executuion (can be accessible anywhere within the same thread)

Question 15

What is the role of AuthorizationManager?

Answer 15

To read the collection of GrantedAuthoritys of the currently authenticated user and determine if he/she has the proper authority to access a resource.

Question 16

What is HttpSecurity and what is it used for?

Answer 16

HttpSecurity is a dependency bean of SecurityFilterChain used to configure the security of HTTP requests

Question 17

What is the difference between securityMatcher() and requestMatchers()?

Answer 17

securityMatcher matches an HTTP request to an HttpSecurity. requestMatchers matches a request to a rule defined inside HttpSecurity

Question 18

What annotation must be used on the @Configuration class to enable method level security?

Answer 18

@EnableMethodSecurity