Spring Security面试题

Spring Security面试题

基础概念

Q1: Spring Security的核心功能有哪些？

public class SecurityBasicDemo {// 1. 基本配置public class SecurityConfigExample {public void configDemo() {@Configuration@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/public/**").permitAll().antMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated().and().formLogin().loginPage("/login").defaultSuccessUrl("/dashboard").and().logout().logoutUrl("/logout").logoutSuccessUrl("/login");}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication().withUser("user").password(passwordEncoder().encode("password")).roles("USER");}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}}}}// 2. 认证流程public class AuthenticationExample {public void authDemo() {// 自定义认证提供者@Componentpublic class CustomAuthenticationProvider implements AuthenticationProvider {@Overridepublic Authentication authenticate(Authentication auth) throws AuthenticationException {String username = auth.getName();String password = auth.getCredentials().toString();// 验证用户if (validateUser(username, password)) {List<GrantedAuthority> authorities = Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));return new UsernamePasswordAuthenticationToken(username, password, authorities);}throw new BadCredentialsException("Invalid credentials");}@Overridepublic boolean supports(Class<?> authentication) {return authentication.equals(UsernamePasswordAuthenticationToken.class);}}}}
}

Q2: Spring Security的认证和授权机制是怎样的？

public class AuthenticationAuthorizationDemo {// 1. 认证机制public class AuthenticationMechanismExample {public void authMechanismDemo() {// 用户详情服务@Servicepublic class CustomUserDetailsService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userRepository.findByUsername(username);if (user == null) {throw new UsernameNotFoundException(username);}return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),getAuthorities(user.getRoles()));}private Collection<? extends GrantedAuthority> getAuthorities(Collection<Role> roles) {return roles.stream().map(role -> new SimpleGrantedAuthority(role.getName())).collect(Collectors.toList());}}}}// 2. 授权机制public class AuthorizationMechanismExample {public void authorizationDemo() {// 方法级安全@Configuration@EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled = true,jsr250Enabled = true)public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {@Overrideprotected MethodSecurityExpressionHandler createExpressionHandler() {DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());return expressionHandler;}}// 使用注解@Servicepublic class UserService {@PreAuthorize("hasRole('ADMIN')")public void createUser(User user) {// 创建用户}@PostAuthorize("returnObject.username == authentication.name")public User getUser(Long id) {// 获取用户return userRepository.findById(id).orElse(null);}}}}
}

高级特性

Q3: Spring Security的OAuth2.0实现是怎样的？

public class OAuth2Demo {// 1. 授权服务器public class AuthorizationServerExample {public void authServerDemo() {@Configuration@EnableAuthorizationServerpublic class AuthServerConfig extends AuthorizationServerConfigurerAdapter {@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.inMemory().withClient("client").secret(passwordEncoder.encode("secret")).authorizedGrantTypes("authorization_code","password","client_credentials","refresh_token").scopes("read", "write").accessTokenValiditySeconds(3600).refreshTokenValiditySeconds(86400);}@Overridepublic void configure(AuthorizationServerSecurityConfigurer security) {security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").allowFormAuthenticationForClients();}}}}// 2. 资源服务器public class ResourceServerExample {public void resourceServerDemo() {@Configuration@EnableResourceServerpublic class ResourceServerConfig extends ResourceServerConfigurerAdapter {@Overridepublic void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/api/**").authenticated().anyRequest().permitAll().and().cors().and().csrf().disable();}@Overridepublic void configure(ResourceServerSecurityConfigurer resources) {resources.resourceId("resource_id");}}}}
}

Q4: Spring Security的会话管理是怎样的？

public class SessionManagementDemo {// 1. 会话配置public class SessionConfigExample {public void sessionConfigDemo() {@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).maximumSessions(1).maxSessionsPreventsLogin(true).expiredUrl("/login?expired").and().sessionFixation().migrateSession().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());}}}}// 2. 会话事件监听public class SessionEventExample {public void sessionEventDemo() {@Componentpublic class SecurityEventListener implements ApplicationListener<AbstractAuthenticationEvent> {@Overridepublic void onApplicationEvent(AbstractAuthenticationEvent event) {if (event instanceof AuthenticationSuccessEvent) {// 认证成功事件处理logAuthenticationSuccess(event);} else if (event instanceof AuthenticationFailureEvent) {// 认证失败事件处理logAuthenticationFailure(event);} else if (event instanceof InteractiveAuthenticationSuccessEvent) {// 交互式认证成功事件处理logInteractiveAuthenticationSuccess(event);}}}}}
}

Q5: Spring Security的安全防护有哪些？

public class SecurityProtectionDemo {// 1. CSRF防护public class CSRFProtectionExample {public void csrfDemo() {@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers("/api/webhook/**");}}// CSRF Token处理@Componentpublic class CSRFTokenHandler extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain filterChain) throws ServletException, IOException {CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());if (csrf != null) {response.setHeader("X-CSRF-TOKEN", csrf.getToken());}filterChain.doFilter(request, response);}}}}// 2. XSS防护public class XSSProtectionExample {public void xssDemo() {// XSS过滤器@Componentpublic class XSSFilter implements Filter {@Overridepublic void doFilter(ServletRequest request,ServletResponse response,FilterChain chain) throws IOException, ServletException {XSSRequestWrapper wrappedRequest = new XSSRequestWrapper((HttpServletRequest) request);chain.doFilter(wrappedRequest, response);}}// 请求包装器public class XSSRequestWrapper extends HttpServletRequestWrapper {public XSSRequestWrapper(HttpServletRequest request) {super(request);}@Overridepublic String[] getParameterValues(String parameter) {String[] values = super.getParameterValues(parameter);if (values == null) {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = cleanXSS(values[i]);}return encodedValues;}private String cleanXSS(String value) {// XSS清理逻辑return value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");}}}}// 3. SQL注入防护public class SQLInjectionProtectionExample {public void sqlInjectionDemo() {// 参数绑定@Repositorypublic class UserRepository {@Autowiredprivate JdbcTemplate jdbcTemplate;public User findByUsername(String username) {return jdbcTemplate.queryForObject("SELECT * FROM users WHERE username = ?",new Object[]{username},(rs, rowNum) ->new User(rs.getLong("id"),rs.getString("username"),rs.getString("password")));}}// 输入验证@Componentpublic class InputValidator {public boolean isValidInput(String input) {// 输入验证逻辑return input != null && input.matches("[a-zA-Z0-9_]+");}}}}
}

面试关键点

1. 理解Spring Security的核心功能
2. 掌握认证和授权机制
3. 熟悉OAuth2.0的实现
4. 了解会话管理机制
5. 理解安全防护措施
6. 掌握配置和扩展方法
7. 注意性能和安全平衡
8. 关注最佳实践