Spring Security面试题
基础概念
Q1: Spring Security的核心功能有哪些?
public class SecurityBasicDemo {public class SecurityConfigExample {public void configDemo() {@Configuration@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/public/**").permitAll().antMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated().and().formLogin().loginPage("/login").defaultSuccessUrl("/dashboard").and().logout().logoutUrl("/logout").logoutSuccessUrl("/login");}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication().withUser("user").password(passwordEncoder().encode("password")).roles("USER");}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}}}}public class AuthenticationExample {public void authDemo() {@Componentpublic class CustomAuthenticationProvider implements AuthenticationProvider {@Overridepublic Authentication authenticate(Authentication auth) throws AuthenticationException {String username = auth.getName();String password = auth.getCredentials().toString();if (validateUser(username, password)) {List<GrantedAuthority> authorities = Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));return new UsernamePasswordAuthenticationToken(username, password, authorities);}throw new BadCredentialsException("Invalid credentials");}@Overridepublic boolean supports(Class<?> authentication) {return authentication.equals(UsernamePasswordAuthenticationToken.class);}}}}
}
Q2: Spring Security的认证和授权机制是怎样的?
public class AuthenticationAuthorizationDemo {public class AuthenticationMechanismExample {public void authMechanismDemo() {@Servicepublic class CustomUserDetailsService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userRepository.findByUsername(username);if (user == null) {throw new UsernameNotFoundException(username);}return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),getAuthorities(user.getRoles()));}private Collection<? extends GrantedAuthority> getAuthorities(Collection<Role> roles) {return roles.stream().map(role -> new SimpleGrantedAuthority(role.getName())).collect(Collectors.toList());}}}}public class AuthorizationMechanismExample {public void authorizationDemo() {@Configuration@EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled = true,jsr250Enabled = true)public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {@Overrideprotected MethodSecurityExpressionHandler createExpressionHandler() {DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());return expressionHandler;}}@Servicepublic class UserService {@PreAuthorize("hasRole('ADMIN')")public void createUser(User user) {}@PostAuthorize("returnObject.username == authentication.name")public User getUser(Long id) {return userRepository.findById(id).orElse(null);}}}}
}
高级特性
Q3: Spring Security的OAuth2.0实现是怎样的?
public class OAuth2Demo {public class AuthorizationServerExample {public void authServerDemo() {@Configuration@EnableAuthorizationServerpublic class AuthServerConfig extends AuthorizationServerConfigurerAdapter {@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.inMemory().withClient("client").secret(passwordEncoder.encode("secret")).authorizedGrantTypes("authorization_code","password","client_credentials","refresh_token").scopes("read", "write").accessTokenValiditySeconds(3600).refreshTokenValiditySeconds(86400);}@Overridepublic void configure(AuthorizationServerSecurityConfigurer security) {security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").allowFormAuthenticationForClients();}}}}public class ResourceServerExample {public void resourceServerDemo() {@Configuration@EnableResourceServerpublic class ResourceServerConfig extends ResourceServerConfigurerAdapter {@Overridepublic void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/api/**").authenticated().anyRequest().permitAll().and().cors().and().csrf().disable();}@Overridepublic void configure(ResourceServerSecurityConfigurer resources) {resources.resourceId("resource_id");}}}}
}
Q4: Spring Security的会话管理是怎样的?
public class SessionManagementDemo {public class SessionConfigExample {public void sessionConfigDemo() {@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).maximumSessions(1).maxSessionsPreventsLogin(true).expiredUrl("/login?expired").and().sessionFixation().migrateSession().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());}}}}public class SessionEventExample {public void sessionEventDemo() {@Componentpublic class SecurityEventListener implements ApplicationListener<AbstractAuthenticationEvent> {@Overridepublic void onApplicationEvent(AbstractAuthenticationEvent event) {if (event instanceof AuthenticationSuccessEvent) {logAuthenticationSuccess(event);} else if (event instanceof AuthenticationFailureEvent) {logAuthenticationFailure(event);} else if (event instanceof InteractiveAuthenticationSuccessEvent) {logInteractiveAuthenticationSuccess(event);}}}}}
}
Q5: Spring Security的安全防护有哪些?
public class SecurityProtectionDemo {public class CSRFProtectionExample {public void csrfDemo() {@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers("/api/webhook/**");}}@Componentpublic class CSRFTokenHandler extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain filterChain) throws ServletException, IOException {CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());if (csrf != null) {response.setHeader("X-CSRF-TOKEN", csrf.getToken());}filterChain.doFilter(request, response);}}}}public class XSSProtectionExample {public void xssDemo() {@Componentpublic class XSSFilter implements Filter {@Overridepublic void doFilter(ServletRequest request,ServletResponse response,FilterChain chain) throws IOException, ServletException {XSSRequestWrapper wrappedRequest = new XSSRequestWrapper((HttpServletRequest) request);chain.doFilter(wrappedRequest, response);}}public class XSSRequestWrapper extends HttpServletRequestWrapper {public XSSRequestWrapper(HttpServletRequest request) {super(request);}@Overridepublic String[] getParameterValues(String parameter) {String[] values = super.getParameterValues(parameter);if (values == null) {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = cleanXSS(values[i]);}return encodedValues;}private String cleanXSS(String value) {return value.replaceAll("<", "<").replaceAll(">", ">");}}}}public class SQLInjectionProtectionExample {public void sqlInjectionDemo() {@Repositorypublic class UserRepository {@Autowiredprivate JdbcTemplate jdbcTemplate;public User findByUsername(String username) {return jdbcTemplate.queryForObject("SELECT * FROM users WHERE username = ?",new Object[]{username},(rs, rowNum) ->new User(rs.getLong("id"),rs.getString("username"),rs.getString("password")));}}@Componentpublic class InputValidator {public boolean isValidInput(String input) {return input != null && input.matches("[a-zA-Z0-9_]+");}}}}
}
面试关键点
- 理解Spring Security的核心功能
- 掌握认证和授权机制
- 熟悉OAuth2.0的实现
- 了解会话管理机制
- 理解安全防护措施
- 掌握配置和扩展方法
- 注意性能和安全平衡
- 关注最佳实践
