Spring Security
Cert Focus
You should understand authentication, authorization, filters, users, passwords, sessions, CSRF, CORS, JWT, and security testing basics.
Must Know
- Authentication asks who the user is.
- Authorization asks what the user can do.
- Spring Security is built around a filter chain.
- Passwords should be encoded with a
PasswordEncoder. - CSRF matters for browser-based state-changing requests.
- CORS controls cross-origin browser access.
- Stateless APIs commonly use bearer tokens or JWT.
- Security tests can use
@WithMockUser,csrf(), and JWT helpers.
Direct Book Links
- Spring Security Mental Model
- Users, Passwords, and Authentication Flow
- Authorization Deep Dive
- CSRF, CORS, Sessions, Stateless APIs, and JWT
- Security Testing
Exam Trap
Disabling CSRF may be reasonable for stateless APIs, but it is not a universal security improvement.
Self-Check
- Can I explain authentication vs authorization?
- Can I explain why Spring Security runs before controllers?
- Can I explain 401 vs 403?
- Can I explain CSRF vs CORS?
Model Answers
Authentication asks who the user is. Authorization asks what that user is allowed to do.
Spring Security runs before controllers because it is mainly implemented through servlet filters in the security filter chain.
401 means unauthenticated. 403 means authenticated but forbidden.
CSRF protects browser cookie-based applications from unwanted state-changing requests. CORS controls which browser origins are allowed to call the API across origins.
Memory Sentence
Authentication identifies the user; authorization checks permissions.