Advanced Authentication & Authorization
Advanced authentication, fine-grained authorization with @PreAuthorize/@PostAuthorize, roles, permissions, SpEL
1What is the main role of the UserDetailsService interface in Spring Security?
What is the main role of the UserDetailsService interface in Spring Security?
回答
UserDetailsService is responsible for loading user information from the data source (database, LDAP, etc.) during authentication. Its loadUserByUsername() method returns a UserDetails object containing the username, password, roles and authorities. Spring Security then uses this information to validate credentials and build the SecurityContext.
2Which annotation enables method-level security in Spring Security 6+?
Which annotation enables method-level security in Spring Security 6+?
回答
@EnableMethodSecurity is the modern annotation in Spring Security 6+ that enables method-level security. It replaces the old @EnableGlobalMethodSecurity and enables @PreAuthorize, @PostAuthorize and @Secured by default. It uses AOP proxy-based configuration to intercept method calls and check authorizations.
3When does the @PreAuthorize annotation check authorizations?
When does the @PreAuthorize annotation check authorizations?
回答
@PreAuthorize checks authorizations BEFORE method execution. If the SpEL condition returns false, an AccessDeniedException is thrown and the method is never executed. This prevents access to unauthorized resources from the start. In contrast, @PostAuthorize checks after execution, which is useful for filtering results based on the user.
What is the main difference between hasRole() and hasAuthority() in Spring Security?
How to implement a custom UserDetailsService that loads users from a database?
+27 面接問題