Spring Security Fundamentals and Authentication
Interview Preparation Hub for Backend and Cloud-Native Engineering Roles
1. Introduction
Security is one of the most critical aspects of modern application development. Spring Security is the de facto standard for securing Spring applications. It provides a comprehensive framework for authentication, authorization, and protection against common attacks.
This guide covers everything from fundamentals to advanced topics: authentication mechanisms, authorization, JWT, OAuth2, CSRF protection, custom filters, best practices, common mistakes, and interview notes. By the end, you will have mastered Spring Security fundamentals and authentication.
2. Spring Security Architecture
Spring Security is built around filters in the servlet filter chain. The DelegatingFilterProxy delegates to FilterChainProxy, which manages security filters.
Client Request β Servlet Container β DelegatingFilterProxy β FilterChainProxy β Authentication Filters β Authorization Filters β Controller
3. Authentication Basics
Authentication verifies identity. Spring Security supports multiple mechanisms:
- Form-based login
- HTTP Basic authentication
- Digest authentication
- Token-based authentication (JWT)
- OAuth2/OpenID Connect
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
4. Authorization
Authorization determines access rights. Spring Security uses roles and authorities.
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long id) {
// Only admins can delete users
}
Method-level security can be enabled with @EnableGlobalMethodSecurity.
5. JWT Authentication
JSON Web Tokens (JWT) are widely used in stateless authentication. Spring Security can be configured to validate JWTs.
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String token = request.getHeader("Authorization");
if(token != null && validateToken(token)) {
Authentication auth = getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(auth);
}
filterChain.doFilter(request, response);
}
}
6. OAuth2 and OpenID Connect
Spring Security provides first-class support for OAuth2 and OpenID Connect. This enables integration with identity providers like Google, Facebook, and Okta.
spring.security.oauth2.client.registration.google.client-id=your-client-id
spring.security.oauth2.client.registration.google.client-secret=your-secret
spring.security.oauth2.client.registration.google.scope=profile,email
7. Protection Against Common Attacks
- CSRF: Enabled by default for state-changing requests.
- Session Fixation: Spring Security protects against session fixation attacks.
- Clickjacking: Protection via HTTP headers.
- XSS: Use input validation and output encoding.
8. Best Practices
- Use HTTPS everywhere.
- Store passwords securely with bcrypt.
- Use JWT or OAuth2 for stateless authentication in microservices.
- Enable CSRF protection for web applications.
- Apply method-level security for fine-grained control.
- Log and monitor authentication attempts.
9. Common Mistakes
- Disabling CSRF protection without understanding risks.
- Storing passwords in plain text.
- Exposing sensitive endpoints without authentication.
- Hardcoding secrets in code.
- Not validating JWTs properly.
10. Interview Notes
- Be ready to explain authentication vs authorization.
- Discuss Spring Security filter chain.
- Explain JWT authentication flow.
- Describe OAuth2 integration.
- Know best practices for securing applications.
- Identify common mistakes and how to avoid them.
Authentication β Authorization β JWT β OAuth2 β CSRF β Best Practices β Pitfalls
11. Final Mastery Summary
Spring Security provides a comprehensive framework for authentication and authorization. By mastering its fundamentals, you can secure applications against common threats, integrate with modern identity providers, and build robust microservices architectures.
In this guide, we explored:
- Spring Security architecture and filter chain.
- Authentication mechanisms: form login, basic auth, JWT, OAuth2.
- Authorization with roles and method-level security.
- Protection against CSRF, session fixation, clickjacking, and XSS.
- Best practices and common mistakes.
- Interview notes for mastering Spring Security fundamentals and authentication.
By applying these concepts, you ensure that your Spring applications are secure, resilient, and productionβready. Security is not just about preventing unauthorized access β itβs about building trust with users, protecting sensitive data, and complying with industry standards.
For interviews, emphasize your understanding of authentication flows, authorization mechanisms, JWT and OAuth2 integration, CSRF protection, and the Spring Security filter chain. Demonstrating mastery of these topics shows readiness for backend engineering, microservices architecture, and enterprise application development roles.
Fundamentals β Authentication β Authorization β JWT β OAuth2 β CSRF β Best Practices β Interview Prep β Mastery