Interview Questions and Answers

by

PART 1: Spring Boot – Core + Project Based Questions

1. What is Spring Boot and why did you use it?

Answer:
Spring Boot is an extension of the Spring Framework that simplifies application development by providing:

  • Auto-configuration
  • Embedded servers (Tomcat/Jetty)
  • Opinionated defaults
  • Production-ready features (Actuator)

In my project:
I used Spring Boot to build a REST-based microservice where quick setup, minimal configuration, and easy deployment were required.

** Cross Questions

Q: Why not plain Spring?
A: Plain Spring requires a lot of XML/Java config. Spring Boot reduces boilerplate and speeds up development.

Q: Which server did you use?
A: Embedded Tomcat (default).

2. Explain Spring Boot Auto-Configuration

Answer:
Auto-configuration automatically configures beans based on:

  • Classpath dependencies
  • Application properties
  • Existing beans

Example:
If spring-boot-starter-data-jpa is present, Boot auto-configures:

  • DataSource
  • EntityManager
  • TransactionManager

** Cross Questions

Q: How does Spring Boot know what to configure?
A: Through spring.factories and @EnableAutoConfiguration.

Q: How can you disable auto-config?
A:

@SpringBootApplication(exclude = DataSourceAutoConfiguration.class)

3. What is @SpringBootApplication?

Answer:
It is a combination of:

  • @Configuration
  • @EnableAutoConfiguration
  • @ComponentScan

** Cross Question

Q: What happens if component is outside base package?
A: It won’t be scanned unless we specify scanBasePackages.

4. How did you handle configuration in your project?

Answer:

  • application.yml / application.properties
  • Used @Value and @ConfigurationProperties
  • Separate configs for dev/prod

** Cross Questions

Q: Difference between @Value and @ConfigurationProperties?
A:

  • @Value → single value
  • @ConfigurationProperties → group of related configs

5. Explain REST API flow in your project

Answer:
Client → Controller → Service → Repository → Database

Used:

  • @RestController
  • @Service
  • @Repository
  • @Entity

** Cross Question

Q: Why service layer is needed?
A: To separate business logic from controller and improve maintainability & testing.

6. How did you handle exceptions?

Answer:
Used @ControllerAdvice and @ExceptionHandler

@RestControllerAdvice
public class GlobalExceptionHandler {
    @ExceptionHandler(ResourceNotFoundException.class)
    public ResponseEntity<?> handleException() { }
}

** Cross Question

Q: Why not try-catch everywhere?
A: Centralized handling avoids duplication and improves readability.

PART 2: Spring Security – Interview Killer Section

7. What is Spring Security?

Answer:
Spring Security is a framework that provides:

  • Authentication
  • Authorization
  • Protection against attacks (CSRF, XSS)

8. How did you use Spring Security in your project?

Answer:
I implemented JWT-based authentication for securing REST APIs.

Flow:

  1. User logs in with username/password
  2. Server generates JWT
  3. Client sends JWT in Authorization header
  4. Server validates token for each request

9. Why JWT instead of session?

Answer:

  • Stateless
  • Scalable for microservices
  • No server-side session storage
  • Easy to share across services

** Cross Questions

Q: Where is JWT stored on client side?
A: In HTTP headers (Authorization: Bearer token)

Q: Why not local storage?
A: Risk of XSS attacks

10. Explain Spring Security filter flow (VERY IMPORTANT)

Answer:
Request passes through security filter chain:

  1. UsernamePasswordAuthenticationFilter
  2. AuthenticationManager
  3. AuthenticationProvider
  4. UserDetailsService
  5. SecurityContextHolder

11. What is UserDetailsService?

Answer:
It loads user data from database.

loadUserByUsername(String username)

Returns UserDetails.

** Cross Question

Q: What happens if user not found?
A: UsernameNotFoundException is thrown.

12. What is Authentication vs Authorization?

AuthenticationAuthorization
Who are youWhat can you access
LoginRole-based access

13. How did you implement role-based access?

Answer:
Using:

  • @PreAuthorize
  • hasRole()
@PreAuthorize("hasRole('ADMIN')")

14. How did you secure endpoints?

Answer:
Configured in SecurityFilterChain

http
 .csrf().disable()
 .authorizeHttpRequests()
 .requestMatchers("/auth/**").permitAll()
 .anyRequest().authenticated();

15. Why CSRF disabled?

Answer:
JWT is stateless and not vulnerable to CSRF because it does not rely on cookies.

16. What is PasswordEncoder?

Answer:
Used to hash passwords.

BCryptPasswordEncoder

** Cross Question

Q: Why BCrypt?
A: Salted, slow hashing → prevents brute force attacks.

17. How do you validate JWT?

Answer:

  • Extract token
  • Validate signature
  • Check expiry
  • Set authentication in SecurityContext

18. What happens if token is expired?

Answer:

  • Request rejected
  • 401 Unauthorized returned

19. How did you handle logout?

Answer:
Since JWT is stateless:

  • Token is discarded on client side
  • Optionally blacklist token in Redis

REAL INTERVIEW TRAP QUESTIONS

# If JWT is stolen?

Answer:

  • Short expiry
  • HTTPS
  • Refresh tokens
  • Token blacklist

# How will you secure microservices?

Answer:

  • API Gateway
  • Central auth service
  • JWT propagation
  • Service-to-service auth

# Difference between @EnableWebSecurity and SecurityFilterChain?

Answer:

  • Old approach → WebSecurityConfigurerAdapter
  • New approach → Component-based SecurityFilterChain (Spring Security 5.7+)

Leave a Comment