Spring Security Basics
Spring Security, authentication, authorization, SecurityFilterChain, UserDetailsService, PasswordEncoder
1What is Spring Security?
What is Spring Security?
답변
Spring Security is a security framework for Spring applications that provides authentication and authorization features. It protects applications against common attacks (CSRF, XSS, session fixation) and offers integration with various authentication mechanisms (form login, HTTP Basic, OAuth2, JWT). The framework uses a filter chain (Security Filter Chain) to intercept and process HTTP requests before they reach controllers.
2What is the difference between authentication and authorization in Spring Security?
What is the difference between authentication and authorization in Spring Security?
답변
Authentication verifies user identity (who are you?), typically via username/password, while authorization verifies permissions (what can you do?). Authentication happens first and creates a SecurityContext with user information. Authorization then uses this information to decide if the user can access a specific resource. For example, a user can be successfully authenticated but not authorized to access /admin if their role is USER and not ADMIN.
3What is the SecurityContext in Spring Security?
What is the SecurityContext in Spring Security?
답변
The SecurityContext is an object that contains the security information of the currently authenticated user, primarily the Authentication object. It is stored in the SecurityContextHolder and accessible throughout request processing. After successful authentication, Spring Security creates a SecurityContext containing an Authentication with user details (username, authorities, credentials). This context allows the application to check who the current user is and what their permissions are.
How does SecurityContextHolder store the SecurityContext by default?
What is the role of the UserDetails interface in Spring Security?
+22 면접 질문