Skip to content

Q05-spring-security.md

Latest commit

 

History

History
110 lines (85 loc) · 3.45 KB

Q05-spring-security.md

File metadata and controls

110 lines (85 loc) · 3.45 KB

Q05 — How to Implement Security in Spring Boot

Interview Tip: Don't just say "add the dependency." Walk through JWT flow — that's what interviewers actually want to hear.

🔑 Two Common Approaches

  1. Basic Auth — username/password in every request header (for internal/dev use)
  2. JWT (JSON Web Token) — token-based, stateless, used in real projects ✅

📌 JWT Flow (What Interviewers Want)

Client → POST /login (username + password)
         → Server validates credentials
         → Server generates JWT token
         → Returns token to client

Client → GET /api/users (with JWT in Authorization header)
         → Filter intercepts request
         → Validates token (signature + expiry)
         → Sets SecurityContext
         → Request reaches controller

💻 Code — Key Classes to Show Live

1. Security Config

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf(csrf -> csrf.disable())
            .sessionManagement(s -> s.sessionCreationPolicy(STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/auth/**").permitAll()  // public endpoints
                .anyRequest().authenticated()                  // all others need JWT
            )
            .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

2. JWT Filter

@Component
public class JwtAuthFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain)
                                    throws ServletException, IOException {

        String authHeader = request.getHeader("Authorization");

        if (authHeader != null && authHeader.startsWith("Bearer ")) {
            String token = authHeader.substring(7);
            String username = jwtService.extractUsername(token);

            if (username != null && SecurityContextHolder.getContext()
                                        .getAuthentication() == null) {
                // validate token and set authentication
                UsernamePasswordAuthenticationToken authToken =
                    new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(authToken);
            }
        }
        filterChain.doFilter(request, response);
    }
}

📌 Key Points

  • Add dependency: spring-boot-starter-security + jjwt (for JWT)
  • SecurityFilterChain → replaces old WebSecurityConfigurerAdapter (deprecated)
  • JWT is stateless → server doesn't store session
  • JWT contains: Header.Payload.Signature (Base64 encoded)
  • BCryptPasswordEncoder → always use for password hashing, never plain text
  • UserDetailsService → implement to load user from DB

📌 Key Annotations

Annotation Use
@EnableWebSecurity Enable Spring Security
@PreAuthorize("hasRole('ADMIN')") Method-level security
@Secured("ROLE_USER") Role-based access on method