Spring16 interview questions
Spring Security OAuth2 Resource Server Deep Dive
Configure JWT validation, custom claims extraction, method-level security, and multi-tenancy in Spring Security 6. Real patterns from BFSI systems.
Spring SecurityOAuth2JWTMulti-tenancy
Spring Security OAuth2 Resource Server Deep Dive
Basic Resource Server Setup
java
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter()))
)
.sessionManagement(s -> s.sessionCreationPolicy(STATELESS))
.build();
}
}Custom Claims Extraction
java
@Bean
public JwtAuthenticationConverter jwtConverter() {
var converter = new JwtAuthenticationConverter();
converter.setJwtGrantedAuthoritiesConverter(jwt -> {
List<String> roles = jwt.getClaimAsStringList("roles");
return roles.stream()
.map(r -> new SimpleGrantedAuthority("ROLE_" + r))
.collect(toList());
});
return converter;
}Method-Level Security
java
@RestController
@RequestMapping("/api/accounts")
public class AccountController {
@GetMapping("/{id}")
@PreAuthorize("hasRole('VIEWER') and #id == authentication.name")
public Account getAccount(@PathVariable String id) { ... }
@PostMapping("/{id}/transfer")
@PreAuthorize("hasRole('MAKER') and @accountService.isOwner(#id, authentication)")
public Transfer initiateTransfer(@PathVariable String id, @RequestBody TransferRequest req) { ... }
}Interview Questions
- 1.How does Spring Security validate JWT signatures?
- 2.What is the difference between @PreAuthorize and @Secured?
- 3.How do you implement multi-tenant JWT validation?
- 4.What happens when a JWT expires mid-request?