Top 24 Spring Security Interview Questions You Must Prepare 20.Jul.2024

Q1. Why Do You Need The Intercept-url?

intercept-url element is used to define the set of URL patterns that the application is interested in and to configure how they should be handled.

Q2. Which Java And Spring Version Are Needed For Spring Security?

Spring security 3.0 and jdk 1.5.

Q3. How To Add Security To Method Calls Made On Spring Beans In The Application Context?

< global-method-security pre-post-annotations="enabled" / >

Q4. In Which Security Annotation Are You Allowed To Use Spel?

They are @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter. These annotations support expression attributes to allow pre and post-invocation authorization checks and also to support filtering of submitted collection arguments or return values

Method security is a bit more complicated than a simple allow or deny rule. Spring Security 3.0 introduced some new annotations in order to allow comprehensive support for the use of expressions.

<global-method-security pre-post-annotations="enabled"/>


public void create(Contact contact); 

Q5. What Are Access Controls In Spring Security?

  • To access the account list, you must be authenticated.
  • The files in the directory "/secure" should only be visible to authenticated users.
  • The files in the directory "/secure/extreme" should only be visible to Supervisors.
  • Withdrawal and deposits can be made only by Tellers and Supervisors.
  • Overdraft limit for an account can be exceeded only by Supervisors.

Q6. What Is A Security Context?

Security context in Spring Security includes details of the principal currently using the application. Security context is always available to methods in the same thread of execution, even if the security context is not explicitly passed around as an argument to those methods.

Q7. From The Applications Perspective, How Many User Roles Needed In Spring Security?

Three user roles are there in spring.

  • Supervisors
  • Tellers
  • Plain Users

Q8. Are You Able To Add And/or Replace Individual Filters?

Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required.

Q9. What Do

@Secured and @RolesAllowed both annotation provide method level security in to Spring Beans. @Secured is Spring Security annotation from version 2.0 onwards Spring Security. But @RolesAllowed is JSR 250 annoatation. Spring Security provides the support for JSR 250 annotation as well for method level security. @RolesAllowed provides role based security only.

Q10. How Is A Principal Defined?

Inside the SecurityContextHolder we store details of the principal currently interacting with the application. Spring Security uses an Authentication object to represent this information.

Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

if (principal instanceof UserDetails) {

String username = ((UserDetails)principal).getUsername();

} else {

String username = principal.toString();


Q11. Is It Enough To Hide Sections Of My Output (e.g. Jsp-page)?

No, because we cannot readily reverse engineer what URL is mapped to what controller endpoint as controllers can rely on headers, current user, etc to determine what method to invoke.

JSP Tag Libraries- Spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs.

Q12. What Is The Security Filter Chain?

In Spring Security you have a lot of filters for web application and these filters are Spring Beans. Each Spring security filter bean that require in your application you have to declare in your application context file and as we know that filters would be applied to application only when they would be declared on web.xml. Now DelegatingFilterProxy comes into picture for delegating the request to fillter which declared into application context file by adding a corresponding DelegatingFilterProxy entry to web.xml for each filter and we have to make sure about ordered, it should be define correctly, but this would be cumbersome and would clutter up the web.xml file quickly if you have a lot of filters. FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans.

<bean id="filterChainProxy" class="">



 <sec:filter-chain pattern="/restful/**" filters="




  filterSecurityInterceptor" />

 <sec:filter-chain pattern="/**" filters="




  filterSecurityInterceptor" />




Q13. How To Restrict Static Resources Processed By Spring Security Filters?

< http pattern="/static/**" security="none" / >

Q14. Does Spring Security Support Password Hashing? What Is Salting?

Yes, Spring Security provides support for password hashing. The salt is used to prevent dictionary attacks against the key in the event your encrypted data is compromised.

Q15. Will Spring Security Secures All The Applications?

No, in web application, we need to do some more things to secure full application to save from attackers.

Q16. When I Try To Login, Application Goes In Endless Loop. What Is Wrong?

It happens when login page is secured resource. Login page should not be secured, it should be marked as ROLE_ANONYMOUS.

Q17. Which Filter Class Is Needed For Spring Security?


Q18. When I Login In The Application Where Spring Security Is Applied And Got The Messages "bad Credentials". What Is Wrong?

Authentication has failed for the given userid and password.

Q19. What Are All Security Layers In Spring Security Framework?

  • Authentication:
  • Web request security
  • Service layer and domain object security

Q20. Why Do You Need Method Security? What Type Of Object Is Typically Secured At The Method Level.

  • Spring Security uses AOP for security at the method level
  • annotations based on Spring annotations or JSR-250 annotations
  • Java configuration to activate detection of annotations
  • It typically secure your services
  • Do not access repositories directly, bypasses security (and transactions)

Q21. What Is Authentication And Authorization? Which Must Come First?

Authentication – Establishing that a principal’s credentials are valid

Authorization – Deciding if a principal is allowed to perform an action

Authentication comes first before Authorization because authorization process needs princial object with authority votes to decide user allow to perform a action for secured resource.

Q22. What Is The Delegating Filter Proxy?

Spring’s DelegatingFilterProxy provides the link between web.xml and the application context. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces.









Q23. Is Security A Cross Cutting Concern? How Is It Implemented Internally?

Yes, Spring Security is a cross cutting concern. Spring security is also using Spring AOP internally.

Q24. What Is Mandatory Filter Name Main Purpose?

  • SecurityContextIntegrationFilter – Establishes SecurityContext and maintains between HTTP requests
  • LogoutFilter – Clears SecurityContextHolder when logout requested
  • UsernamePasswordAuthenticationFilter – Puts Authentication into the SecurityContext on login request
  • ExceptionTranslationFilter – Converts SpringSecurity exceptions into HTTP response or redirect
  • FilterSecurityInterceptor – Authorizes web requests based on on config attributes and authorities