Explore topic-wise InterviewSolutions in .

SPRING Security is indeed a cross-cutting concern. Spring security is ALSO using Spring AOP (Aspect Oriented PROGRAMMING) internally. A cross-cutting concern is one that applies THROUGHOUT the whole application and affects it all. Below are some cross-cutting concerns related to the ENTERPRISE application. 

• Logging and tracing
• Transaction management
• Security
• Caching
• Error handling
• Performance monitoring
• Custom Business Rules

In SPRING Security, the AbstractSecurityInterceptor handles the initial authorization of incoming requests. AbstractSecurityInterceptor has two concrete IMPLEMENTATIONS:  

• FilterSecurityInterceptor: It will authorize all authenticated user requests.
• MethodSecurityInterceptor: This is CRUCIAL for implementing method-LEVEL security. It allows US to secure our program at the method level.

Password ENCODING is provided by SPRING Security using the PASSWORDENCODER interface. This interface defines two methods:  

• encode(): It converts a plain password into an encoded form.
• matches(): It COMPARES an encoded password from the database with a plain password (input by the USER) that's been encoded using the same salting and hashing algorithm as the encoded password. 

Spring Security automatically applies salting since version 3.1. Salting is the process of combining random data with a password before password hashing. SALT improves hashing by increasing its uniqueness and complexity without increasing the requirements for users, thereby reducing password attacks. HASHED passwords are then stored in a database, ALONG with salt. Your application will be protected from Dictionary-Attack by using salting. With Salt, you can ADD an extra string to the password to make it more difficult for HACKERS to crack it. 

Databases often suffer from security problems when storing passwords. Plain text passwords cannot be stored in your database because then anyone who has access to the database WOULD know the passwords of every user. The solution to this problem is to STORE encrypted passwords in a database. This is called password hashing.   

As part of a general security concept, Hashing involves ENCODING a string according to the hashing algorithm used. MD4, MD5, SHA (Security Hashing Algorithm) like SHA256 SHA128, etc., are some of the hashing ALGORITHMS that can be APPLIED. The hashing method should take the password as input and return a hashed string, which should be stored in a database rather than plain text. 

Simply put, SPRING method security lets us add or support authorization at the method level. Spring security checks the authorization of the logged-in user in addition to authentication. Upon login, the ROLE of the user is USED to determine which user is authorized to access the resource. When creating a new user in WebSecurityConfig, we can SPECIFY his ROLE as well. A security measure applied to a method prevents unauthorized users and only allows authentic users. The purpose of method level security is not to facilitate users who have access but to prevent unauthorized users from performing activities beyond their privileges and roles. Method level security is IMPLEMENTED using AOP (Aspect-Oriented Programming). 

The TERM "grant type" in OAuth 2.0 refers to the way an application gets an access token. The authorization code flow is one of several types of grants defined by OAuth 2.0. This grant is used by both web APPLICATIONS and native applications to obtain an access token after a USER authorizes the application. As opposed to most other grant types, it requires the application to first LAUNCH a browser to begin the process/flow. The process involves the following steps:  

• The application opens a browser to direct the user to an OAuth server.
• Upon seeing the authorization PROMPT, the user approves the application's request.
• Upon approval, the user is redirected back to the application with an authorization code in the query string.
• Application exchange authorization codes for access tokens.

A simple AUTHORIZATION framework, OAuth 2.0, permits client applications to access protected resources via an authorization server. Using it, a client application (third party) can gain limited access to an HTTP service on behalf of the resource owner or on its own behalf. 

In OAuth2, four roles are AVAILABLE as shown below: 

• Resource Owner/User: The owner of a resource, i.e., the individual who holds the rights to that resource.
• Client: The application requests an access token (represents a user's permission for the client to access their data/resources), then accesses the protected resource server after receiving the access token.
• Authorization Server: After successfully AUTHENTICATING the resource owner and OBTAINING authorization, the server issues access tokens to the client.
• Resource Server: It provides access to requested resources. INITIALLY, it validates the access tokens, then it provides authorization.

There are two fundamental classes of SPRING Security: SecurityContext and SecurityContextHolder.  

• SecurityContext: In this, information/data about the CURRENTLY authenticated user (also known as the principal) is STORED. So, in order to obtain a username or any other information about the user, you must first obtain the SecurityContext.
• SecurityContextHolder: Retrieving the currently authenticated principal is easiest via a static call to the SecurityContextHolder. As a helper class, it provides ACCESS to the security context. By default, it uses a ThreadLocal object to store SecurityContext, so SecurityContext is always accessible to methods in the same thread of execution, even if SecurityContext isn't passed AROUND.

As far as SECURITY is concerned, session management relates to securing and managing multiple users' sessions against their request. It facilitates secure interactions between a user and a service/application and pertains to a sequence of requests and responses associated with a particular user. Session Management is one of the most critical aspects of Spring security as if sessions are not managed PROPERLY, the security of DATA will suffer. To CONTROL HTTP sessions, Spring security uses the following options: 

• SessionManagementFilter.
• SessionAuthneticationStrategy

With these two, spring-security can manage the following security session options:   

• Session TIMEOUTS (amount of time a user can remain inactive on a website before the site ends the session.)
• Concurrent sessions (the number of sessions that an authenticated user can have open at once).
• Session-fixation (an attack that permits an attacker to hijack a valid user session).

RESTful web services can be authenticated in MANY ways, but advanced authentication methods include digest authentication. It applies a hash FUNCTION to username, password, HTTP method, and URI in order to send credentials in encrypted form. It generates more complex cryptographic results by using the hashing technique which is not EASY to decode. 

Syntax: 

RESTful web services can be authenticated in many WAYS, but the most BASIC one is basic authentication. For basic authentication, we send a username and password using the HTTP [Authorization] header to enable us to access the resource. Usernames and passwords are encoded using base64 encoding (not encryption) in Basic Authentication. The encoding is not secure SINCE it can be easily decoded.   

Syntax:  

• Authentication: This refers to the process of verifying the identity of the user, using the credentials provided when accessing CERTAIN restricted resources. Two STEPS are involved in authenticating a user, namely identification and verification. An example is logging into a website with a username and a password. This is like answering the question Who are you?  
• Authorization: It is the ability to determine a user's authority to perform an action or to view data, ASSUMING they have successfully logged in. This ENSURES that users can only access the parts of a resource that they are AUTHORIZED to access. It could be thought of as an answer to the question Can a user do/read this? 

Some ESSENTIAL features of Spring Security include: 

• Supports authentication and authorization in a flexible and comprehensive manner.
• Detection and prevention of attacks including session fixation, clickjacking, cross-site REQUEST forgery, etc.
• Integrate with Servlet API.
• Offers OPTIONAL integration with Spring Web MVC (Model-View-Controller).
• Java Authentication and Authorization Service (JAAS) is used for authentication purposes.
• Allows Single Sign-On so that users can access MULTIPLE applications with just one account (USERNAME and password).