Spring Security Interview Questions - Practice & Strengthen Application Security

Master Spring Security with practical interview questions. Explore authentication flows, authorization strategies, and secure application design with concise explanations.

Top Spring Security Interview Questions for Freshers and Experienced

45 Questions Easy · Medium · Hard
Filter: All Easy Medium Hard

1 What is Spring Security and why is it used?

easy basicssecurity
Answer
Spring Security is a framework for securing Java applications. Key concept: Authentication and authorization. It protects endpoints, users, and data.
Did you know it?

2 What is authentication vs authorization?

easy authbasics
Answer
Authentication verifies identity, authorization checks permissions. Key concept: Identity vs access. Example: Login vs role-based access.
Did you know it?

3 Explain SecurityFilterChain in Spring Security.

medium filtersarchitecture
Answer
Defines the sequence of filters applied to requests. Key concept: Filter-based security. Each filter handles specific security logic.
Did you know it?

4 What is the role of AuthenticationManager?

medium authenticationarchitecture
Answer
Processes authentication requests. Key concept: Delegation. Delegates to AuthenticationProvider.
Did you know it?

5 Explain AuthenticationProvider.

medium authenticationprovider
Answer
Validates user credentials. Key concept: Pluggable authentication. Example: DAOAuthenticationProvider.
Did you know it?

6 What is UserDetailsService?

medium userauthentication
Answer
Loads user-specific data. Key concept: User lookup. Returns UserDetails object.
Did you know it?

7 What is PasswordEncoder?

medium passwordsecurity
Answer
Encodes passwords securely. Key concept: Hashing. Example: BCryptPasswordEncoder.
Did you know it?

8 Why is BCrypt recommended?

medium passwordencryption
Answer
It is adaptive and resistant to brute-force attacks. Key concept: Salting and hashing. Automatically manages salt.
Did you know it?

9 What is CSRF protection?

medium csrfsecurity
Answer
Prevents cross-site request forgery attacks. Key concept: Token validation. Spring Security enables it by default.
Did you know it?

10 When should CSRF be disabled?

medium csrfrest
Answer
In stateless APIs using JWT. Key concept: No session dependency. Example: REST APIs.
Did you know it?

11 Explain JWT authentication in Spring Security.

hard jwtauthentication
Answer
Uses tokens instead of sessions. Key concept: Stateless authentication. Token carries user info.
Did you know it?

12 What are advantages of JWT?

medium jwtperformance
Answer
Stateless, scalable, and reduces server load. Key concept: Token-based auth. Useful in microservices.
Did you know it?

13 Explain OAuth2 in Spring Security.

hard oauth2auth
Answer
Framework for delegated authorization. Key concept: Third-party login. Example: Google login.
Did you know it?

14 What is difference between OAuth2 and JWT?

hard oauth2jwt
Answer
OAuth2 is authorization framework; JWT is token format. Key concept: Protocol vs data. They can be used together.
Did you know it?

15 What is method-level security?

medium authorizationannotations
Answer
Secures methods using annotations. Key concept: Fine-grained control. Example: @PreAuthorize.
Did you know it?

16 Explain @PreAuthorize vs @PostAuthorize.

medium annotationsauthorization
Answer
@PreAuthorize checks before execution; @PostAuthorize after. Key concept: Execution timing. Useful for access control.
Did you know it?

17 What is role hierarchy?

medium rolesauthorization
Answer
Defines role inheritance. Key concept: Simplified authorization. Example: ADMIN > USER.
Did you know it?

18 Explain SecurityContext.

medium contextsecurity
Answer
Holds authentication details. Key concept: Thread-local storage. Access via SecurityContextHolder.
Did you know it?

19 How does SecurityContextHolder work?

hard contextinternals
Answer
Stores context per thread. Key concept: ThreadLocal. Ensures request isolation.
Did you know it?

20 What is session management in Spring Security?

medium sessionsecurity
Answer
Handles user sessions. Key concept: Stateful security. Supports session fixation protection.
Did you know it?

21 What is session fixation attack?

hard securityattack
Answer
Attacker reuses session ID. Key concept: Session security. Spring regenerates session on login.
Did you know it?

22 Explain filter ordering in Spring Security.

hard filtersdebugging
Answer
Filters execute in defined order. Key concept: Request lifecycle. Incorrect order breaks security.
Did you know it?

23 What is OncePerRequestFilter?

medium filtersimplementation
Answer
Ensures filter runs once per request. Key concept: Idempotency. Common in JWT filters.
Did you know it?

24 How to secure REST APIs in Spring Boot?

medium restsecurity
Answer
Use JWT and disable sessions. Key concept: Stateless security. Configure HttpSecurity.
Did you know it?

25 What is CORS and how is it handled?

medium corssecurity
Answer
Controls cross-origin requests. Key concept: Browser security. Configure via CorsConfiguration.
Did you know it?

26 Explain difference between permitAll() and authenticated().

medium authorizationconfig
Answer
permitAll allows all users; authenticated requires login. Key concept: Access rules. Used in HttpSecurity.
Did you know it?

27 What is access decision manager?

hard authorizationinternals
Answer
Decides if access is allowed. Key concept: Authorization logic. Uses voters internally.
Did you know it?

28 Explain custom authentication filter.

hard filterscustom
Answer
Custom filter for handling login. Key concept: Extensibility. Example: JWT filter.
Did you know it?

29 How to implement custom UserDetails?

medium usercustom
Answer
Extend UserDetails interface. Key concept: Custom user model. Map DB fields.
Did you know it?

30 What is difference between hasRole and hasAuthority?

medium rolesauthorization
Answer
hasRole adds prefix ROLE_; hasAuthority does not. Key concept: Naming convention. Used in access rules.
Did you know it?

31 Explain login flow in Spring Security.

hard flowauthentication
Answer
Request -> filter -> AuthenticationManager -> context. Key concept: Flow pipeline. Ends with SecurityContext.
Did you know it?

32 What happens if authentication fails?

medium authenticationerrors
Answer
Exception is thrown and handled. Key concept: Failure handler. Returns 401 or redirect.
Did you know it?

33 How to customize error responses in Spring Security?

medium errorscustom
Answer
Use AuthenticationEntryPoint. Key concept: Custom error handling. Return JSON response.
Did you know it?

34 What is logout handling in Spring Security?

medium logoutsecurity
Answer
Invalidates session and clears context. Key concept: Session cleanup. Configurable endpoint.
Did you know it?

35 Explain stateless vs stateful security.

medium architecturesecurity
Answer
Stateless uses tokens; stateful uses sessions. Key concept: Scalability. Stateless preferred for APIs.
Did you know it?

36 What is request matcher?

medium configsecurity
Answer
Defines URL patterns for security. Key concept: Path matching. Used in HttpSecurity.
Did you know it?

37 How to debug Spring Security issues?

hard debugginglogs
Answer
Enable debug logs. Key concept: Logging. Check filter chain execution.
Did you know it?

38 What is default login form behavior?

easy loginbasics
Answer
Spring provides built-in login page. Key concept: Auto configuration. Customizable.
Did you know it?

39 How to disable default login page?

easy configui
Answer
Configure custom login in HttpSecurity. Key concept: Custom UI. Use formLogin().
Did you know it?

40 What is authority mapping?

medium authorizationmapping
Answer
Mapping roles to permissions. Key concept: Access control. Used in complex systems.
Did you know it?

41 Explain multi-factor authentication integration.

hard mfasecurity
Answer
Adds additional verification step. Key concept: Enhanced security. Example: OTP + password.
Did you know it?

42 What is remember-me authentication?

medium authenticationcookies
Answer
Keeps user logged in via cookies. Key concept: Persistent login. Uses token storage.
Did you know it?

43 How to secure microservices with Spring Security?

hard microservicessecurity
Answer
Use OAuth2/JWT across services. Key concept: Centralized auth. API gateway integration.
Did you know it?

44 What are common Spring Security pitfalls?

medium pitfallsdebugging
Answer
Misconfigured roles and filters. Key concept: Configuration errors. Always test access rules.
Did you know it?

45 Design a secure login API using Spring Security.

medium designapi
Answer
Use JWT, validate credentials, return token. Key concept: Stateless auth. Include proper error handling.
Always hash passwords and validate tokens.
Did you know it?
0 / 0 answered