Bird
Raised Fist0
Spring Bootframework~20 mins

Authentication flow in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Spring Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens after successful login in Spring Security?
In a typical Spring Security authentication flow, what is the immediate next step after a user successfully logs in?
AThe user is redirected to the originally requested protected resource or a default page.
BThe application throws an AccessDeniedException.
CThe user's password is reset automatically.
DThe session is invalidated immediately.
Attempts:
2 left
💡 Hint
Think about what the user expects after logging in successfully.
lifecycle
intermediate
2:00remaining
Order of filters in Spring Security authentication flow
Which filter in Spring Security is responsible for processing username and password authentication before the request reaches the controller?
AExceptionTranslationFilter
BBasicAuthenticationFilter
CSecurityContextPersistenceFilter
DUsernamePasswordAuthenticationFilter
Attempts:
2 left
💡 Hint
This filter handles form login credentials.
🔧 Debug
advanced
3:00remaining
Why does authentication fail with this configuration?
Given this Spring Security configuration snippet, why does authentication always fail? @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll(); } } Options:
Spring Boot
Same as prompt
AThe permitAll() call is misplaced and blocks all requests.
BThe configure method lacks a password encoder bean, causing authentication failure.
CThe custom login page "/login" is not implemented, so authentication fails.
DThe anyRequest().authenticated() call allows anonymous access, so login is skipped.
Attempts:
2 left
💡 Hint
Check if the login page exists and is accessible.
📝 Syntax
advanced
3:00remaining
Identify the error in this Spring Security password encoder bean
What is wrong with this Spring Boot password encoder bean definition? @Bean public PasswordEncoder passwordEncoder() { return NoOpPasswordEncoder.getInstance(); } Options:
Spring Boot
Same as prompt
ANoOpPasswordEncoder is deprecated and insecure; it should not be used in production.
BThe bean method is missing the @Component annotation.
CThe method should return BCryptPasswordEncoder instead of NoOpPasswordEncoder.
DPasswordEncoder interface cannot be implemented as a bean.
Attempts:
2 left
💡 Hint
Consider security best practices for password encoding.
🧠 Conceptual
expert
3:00remaining
What is the role of SecurityContextHolder in Spring Security?
Choose the best description of SecurityContextHolder's role in Spring Security authentication flow.
AIt manages database connections for user credentials.
BIt stores security information like authentication details for the current thread of execution.
CIt handles HTTP session creation and destruction.
DIt encrypts passwords before saving them.
Attempts:
2 left
💡 Hint
Think about where Spring Security keeps user login info during a request.

Practice

(1/5)
1. What is the main purpose of the authentication flow in a Spring Boot application?
easy
A. To send emails to users after login
B. To style the user interface of the login page
C. To store user data in the database
D. To verify the identity of a user before granting access

Solution

  1. Step 1: Understand authentication flow purpose

    Authentication flow is about checking who the user is before allowing access.

  2. Step 2: Identify correct purpose in options

    Only To verify the identity of a user before granting access describes verifying user identity, which matches authentication.

  3. Final Answer:

    To verify the identity of a user before granting access -> Option D

  4. Quick Check:

    Authentication = Verify user identity [OK]
Hint: Authentication means checking who the user is [OK]
Common Mistakes:
  • Confusing authentication with styling or data storage
  • Thinking authentication sends emails
  • Mixing authentication with authorization
2. Which of the following is the correct way to configure URL access rules in Spring Security?
easy
A. http.authorizeHttpRequests().requestMatchers("/admin/**").authenticated()
B. http.authorizeRequests().antMatchers("/private/**").denyAll()
C. http.authorizeRequests().anyRequest().allow()
D. http.authorizeRequests().requestMatchers("/public/**").permitAll()

Solution

  1. Step 1: Identify correct method for URL rules in Spring Security

    Spring Security 6+ uses http.authorizeHttpRequests() with requestMatchers() for URL patterns.

  2. Step 2: Check which option uses correct syntax and meaning

    http.authorizeHttpRequests().requestMatchers("/admin/**").authenticated() uses authorizeHttpRequests() and requestMatchers() with authenticated(), which is correct.

  3. Final Answer:

    http.authorizeHttpRequests().requestMatchers("/admin/**").authenticated() -> Option A

  4. Quick Check:

    Use authorizeHttpRequests() + requestMatchers() [OK]
Hint: Use authorizeHttpRequests() with requestMatchers() in Spring Security 6+ [OK]
Common Mistakes:
  • Using deprecated authorizeRequests() in new Spring versions
  • Using denyAll() incorrectly for access control
  • Using anyRequest().allow() which is invalid
3. Given this Spring Security configuration snippet, what happens when a user accesses /dashboard without logging in?
http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/public/**").permitAll()
    .anyRequest().authenticated()
  )
  .formLogin();
medium
A. The user can access /dashboard without login
B. The user is redirected to the login page
C. The user gets a 403 Forbidden error
D. The user sees a blank page

Solution

  1. Step 1: Analyze URL access rules

    /public/** URLs are open, but any other request requires authentication.

  2. Step 2: Check behavior for unauthenticated access to /dashboard

    Since /dashboard is not under /public, it requires login. formLogin() triggers redirect to login page.

  3. Final Answer:

    The user is redirected to the login page -> Option B

  4. Quick Check:

    Unauthenticated access redirects to login [OK]
Hint: AnyRequest().authenticated() means login required [OK]
Common Mistakes:
  • Thinking permitAll() applies to all URLs
  • Expecting 403 error instead of redirect
  • Assuming access without login
4. Identify the error in this Spring Security configuration snippet:
http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin/**").permitAll()
    .anyRequest().authenticated()
  )
  .formLogin();
medium
A. formLogin() is missing a login page URL
B. anyRequest().authenticated() should come before requestMatchers()
C. permitAll() on /admin/** allows unrestricted access to admin pages
D. requestMatchers() should be replaced with antMatchers()

Solution

  1. Step 1: Review access rules for /admin/**

    permitAll() means anyone can access /admin/** without login, which is usually a security risk.

  2. Step 2: Check order and methods

    Order is correct; anyRequest().authenticated() applies after permitAll(). formLogin() without URL uses default login page, which is valid.

  3. Final Answer:

    permitAll() on /admin/** allows unrestricted access to admin pages -> Option C

  4. Quick Check:

    permitAll() means open access [OK]
Hint: permitAll() means no login needed, risky on admin URLs [OK]
Common Mistakes:
  • Thinking order of matchers is wrong here
  • Assuming formLogin() needs explicit URL
  • Confusing requestMatchers() with antMatchers()
5. You want to create a custom authentication flow that checks a user's email and password against a database and then grants access. Which Spring Boot component should you implement to handle this logic?
hard
A. UserDetailsService to load user data and PasswordEncoder to check password
B. AuthenticationEntryPoint to redirect users after login
C. CorsConfiguration to allow cross-origin requests
D. HttpFirewall to block unauthorized IP addresses

Solution

  1. Step 1: Identify component for loading user info

    UserDetailsService is designed to load user details like email and password from a database.

  2. Step 2: Identify component for password checking

    PasswordEncoder is used to verify the password matches the stored hash securely.

  3. Step 3: Confirm other options are unrelated

    AuthenticationEntryPoint handles unauthorized access, not authentication logic. CorsConfiguration and HttpFirewall serve different purposes.

  4. Final Answer:

    UserDetailsService to load user data and PasswordEncoder to check password -> Option A

  5. Quick Check:

    Custom auth uses UserDetailsService + PasswordEncoder [OK]
Hint: UserDetailsService loads users; PasswordEncoder checks passwords [OK]
Common Mistakes:
  • Confusing AuthenticationEntryPoint with authentication logic
  • Using CorsConfiguration for authentication
  • Thinking HttpFirewall handles login checks