What is spring boot?.

Spring Boot is a Java-based framework built on top of Spring Framework that helps developers create production-ready applications quickly with minimal configuration.

In simple words:

Normally, when using Spring Framework, developers need to configure many things manually such as:

• Dependency setup
• Server configuration
• Database connection setup
• Security configuration
• Bean management

Spring Boot simplifies this by providing pre-configured setups so you can focus more on writing business logic rather than infrastructure code.

Key Features of Spring Boot:

Auto Configuration
Automatically configures your application based on dependencies added in your project.

Example:
If you add MySQL dependency, Spring Boot can automatically configure database settings.

Standalone Applications
It comes with embedded servers like:

• Apache Tomcat
• Jetty
• Undertow

So you don’t need to deploy your application separately on external servers.

Starter Dependencies
Provides ready-made dependencies like:

• spring-boot-starter-web
• spring-boot-starter-data-jpa
• spring-boot-starter-security

These reduce dependency management complexity.

Production Ready Features
Using Spring Boot Actuator, you can monitor application health, metrics, logs, etc.

Example : Spring boot app without spring security.

1.RkDigitalSchoolbankApplication.java

package com.rkdigitalschool.security.test;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class RkDigitalSchoolbankApplication {
	public static void main(String[] args) {
		SpringApplication.run(RkDigitalSchoolbankApplication.class, args);
	}
}

2.WelcomeContoller.java

package com.rkdigitalschool.security.test.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class WelcomeContoller {
	@GetMapping("/welcome")
	public String sayWelcome() {
		System.out.println("Welcome to Spring Application with out security");
		return "Welcome to Spring Application with out security";
	}
}

3.Application.properties 

spring.application.name=rest_security

output

Welcome to Spring Application with out security

Spring boot basic app using spring security and static credentials

Step-1: pom.xml

<dependency>			
     <groupId>org.springframework.boot</groupId>			    
     <artifactId>spring-boot-starter-security</artifactId>		</dependency>

Once you add the Spring Security dependency and start the service, accessing the API will prompt you to enter a user ID and password for authentication.

At this stage, we have not written any custom code for Spring Security—we have only added the required dependencies. This demonstrates how Spring Security provides default security configurations out of the box.

By default, the username is user, and the password is automatically generated and displayed in the console when the server starts.

Once you authenticate and access the endpoint, Spring Security creates a session behind the scenes, so you won’t be prompted to enter credentials every time you hit the endpoint again.

Step-2: Add Securityconfig.java

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@EnableWebSecurity
public class SecurityConfig {

}

Step-3: RkDigitalSchoolbankApplication.java is Same

package com.rkdigitalschool.security.test;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class RkDigitalSchoolbankApplication {
	public static void main(String[] args) {
		SpringApplication.run(RkDigitalSchoolbankApplication.class, args);
	}
}

Step-4: Add webcontroller.java

package com.rkdigitalschool.security.test.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class WelcomeContoller {
	@GetMapping("/welcome")
	public String sayWelcome() {
 System.out.println("Welcome to Spring Application with out security");
		return "Welcome to Spring Application with security";
	}
}

Step-5: Add properties in application.properties

spring.application.name=rest_security
spring.security.user.name=user
spring.security.user.password=12345
logging.level.org.springframework.security=TRACE

Output

Welcome to Spring Application with security

Spring Security Internal flow

Spring Security is a powerful framework that provides authentication, authorization, and other security features for Java applications, particularly web applications. Understanding the internal flow of Spring Security configuration and its behavior.

Overview of the Internal Flow

The internal flow of Spring Security involves several components that work together to manage security concerns such as authentication and authorization .

Spring Security Filters

A series of Spring filters intercept each request & work together to identify if Authentication is required or not . if authentication is required, accordingly navigate the user to login page or use the existing details stored during initial authentication .

Common Security Filters in the Chain:

• SecurityContextPersistenceFilter: Restores the SecurityContext (the authentication state of the user) for the current session.
• UsernamePasswordAuthenticationFilter: Handles form-based login requests.
• BasicAuthenticationFilter: Handles HTTP Basic authentication.
• BearerTokenAuthenticationFilter: Handles Bearer token authentication.
• ExceptionTranslationFilter: Handles exceptions thrown by other filters, such as access denied or authentication failure.
• FilterSecurityInterceptor: Performs authorization checks based on URL patterns, method security, or any other security configuration.

              LogoutFilter: Handles logouts.

              DefaultLoginPageGeneratingFilter: Generates a default login page if a

            custom login page is not provided.

Authentication

Filters like UsernamePasswordAuthenticationFilter will extract username/password from Http request & prepare Authentication type object .Because Authentication is the core standard of storing authenticated user details inside Spring security framework .

AuthenticationManager

Once received request from filter ,it delegate the validating of the user details to the authentication provider available . Since there can be multiple provider inside an app, it is the responsibility of the AuthenticationManager to manage all the authentication providers available. In simple words authentication manager takes the responsibility for authentication .

AuthenticationProvider

Authenticationproviders has all the core logic of validating user details for authentication .

UserDeatilsServices

userDetailsService helps in retriving ,creating, updating and deleteing user details from the data base storage systems .

PasswordEncoder

Service interface that helps in encoding & hashing passwords . otherwise we may have to live with plain text password

SecurityContext

Once the request has been authenticated , the Authontication will usually be stored in a thread local Securitycontext managed by the Security,ContextHolder. this helps during the upcomingv requests from the user . https://myntr.it/gq6jH61

Most common security Questions .

1.passwords

How to store passwords, validate them ,encode , decode them using industry standard hashing algorithms?.

2.Authentication

How should users authenticate into the application and what are the different methods available?.

3.Authorization

How can role-based or attribute-based access control be implemented?.

4.Method level Security

How can implement security at method level of my application using authorization rules?.

5.Csrf & Cors

What is CSRF attacks and CORS restrictions. how to handle them inside web applications?.

6.Jwt , OAuth2, OpenId

What Jwt ,OAuth2 and OpenID. how i can protect my web application using them?.

7.Preventing attacks

How to prevent security attacks like brute force ,stealing of data. session fixation?.