Skip to main content

Spring Security

Cert Focus

You should understand authentication, authorization, filters, users, passwords, sessions, CSRF, CORS, JWT, and security testing basics.

Must Know

  • Authentication asks who the user is.
  • Authorization asks what the user can do.
  • Spring Security is built around a filter chain.
  • Passwords should be encoded with a PasswordEncoder.
  • CSRF matters for browser-based state-changing requests.
  • CORS controls cross-origin browser access.
  • Stateless APIs commonly use bearer tokens or JWT.
  • Security tests can use @WithMockUser, csrf(), and JWT helpers.

Exam Trap

Disabling CSRF may be reasonable for stateless APIs, but it is not a universal security improvement.

Self-Check

  • Can I explain authentication vs authorization?
  • Can I explain why Spring Security runs before controllers?
  • Can I explain 401 vs 403?
  • Can I explain CSRF vs CORS?
Model Answers

Authentication asks who the user is. Authorization asks what that user is allowed to do.

Spring Security runs before controllers because it is mainly implemented through servlet filters in the security filter chain.

401 means unauthenticated. 403 means authenticated but forbidden.

CSRF protects browser cookie-based applications from unwanted state-changing requests. CORS controls which browser origins are allowed to call the API across origins.

Memory Sentence

Authentication identifies the user; authorization checks permissions.