Spring Security

Spring Security is the core authentication and authorization layer in Spring applications.

1. Definition

Authentication decides who the user is, while authorization decides what the user may do. In modern configuration, SecurityFilterChain, UserDetailsService, PasswordEncoder, and rule-based authorizeHttpRequests are common pieces.

2. Core Concepts

What happens underneath

When it is useful

Spring Security is the core authentication and authorization layer in Spring applications. In interviews, highlight common use cases and the related Spring annotations.

What interviewers ask

Common questions cover Spring Security trade-offs, debugging, and production pitfalls.

3. Practical Usage

Use Spring Security when the problem truly calls for it.
Look at configuration and annotations together because both shape runtime behavior in Spring.
During debugging always inspect startup logs, the bean graph, and active profiles.
Prefer small components with clear responsibilities.
In interviews, mention the production trade-off, not only the annotation name.

4. Code Examples

The following example demonstrates Spring Security with real Spring annotations.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
class SecurityConfig {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/public/**").permitAll()
                        .anyRequest().authenticated())
                .httpBasic(Customizer.withDefaults())
                .build();
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Never store passwords in plain text; a PasswordEncoder is mandatory.

5. Trade-offs

Convention vs explicit configuration — Spring speeds development through convention, but sometimes explicit control is required for predictable behavior.
Fast development vs transparency — Less boilerplate is good, but too much framework magic can make debugging harder.
Abstraction vs control — Higher abstraction accelerates development, but you still need to understand low-level behavior.

6. Common Mistakes

Memorizing annotations without understanding runtime behavior.
Changing defaults without understanding the consequences.
Keeping oversized components with weak boundaries.
Ignoring logs and diagnostic tooling.
Not aligning the test strategy with the specific layer.

7. Senior-level Insights

A senior Spring engineer also looks at which proxy, bean post-processor, or filter is active under the hood.
Most hard bugs are not about annotation names but about lifecycle and ordering.
In production thinking, startup time, memory, observability, and rollback strategy all matter.

8. Glossary

Spring Security: A Spring concept or mechanism related to this topic.
Bean: An object managed by Spring.
Proxy: An intermediate object that can add behavior.
Configuration: Properties or bean definitions that shape runtime behavior.
Context: The current application container state in Spring.

9. Cheatsheet

Spring Security is the core authentication and authorization layer in Spring applications.
Understand the underlying lifecycle.
In interviews, mention the trade-off, not just the annotation.
For production bugs, start with logs, bean graph, and active profiles.
The simplest working solution is often the best one.