0
0
Spring Bootframework~20 mins

Custom permission evaluator in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Custom Permission Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when a user without the required permission tries to access a secured method?
Consider a Spring Boot application using a custom permission evaluator. The evaluator denies access if the user lacks the required permission. What happens when a user without permission calls a method secured with @PreAuthorize("hasPermission(#id, 'read')")?
Spring Boot
public class CustomPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) {
        // returns true only if user has permission
        return auth.getAuthorities().stream()
            .anyMatch(grantedAuthority -> grantedAuthority.getAuthority().equals(permission.toString()));
    }

    @Override
    public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission) {
        return false;
    }
}

// Usage in service
@PreAuthorize("hasPermission(#id, 'read')")
public String getData(Long id) {
    return "data";
}
ASpring Security throws an AccessDeniedException preventing method execution.
BThe method executes normally and returns "data".
CThe method returns null without exception.
DA runtime NullPointerException occurs due to missing permission.
Attempts:
2 left
💡 Hint
Think about what Spring Security does when permission checks fail.
📝 Syntax
intermediate
1:30remaining
Which option correctly implements the hasPermission method signature for checking permission by target ID and type?
You want to implement the hasPermission method in a custom permission evaluator that checks permission based on target ID and target type. Which method signature is correct?
Apublic boolean hasPermission(Authentication auth, String targetType, Serializable targetId, Object permission)
Bpublic boolean hasPermission(Authentication auth, Long targetId, String permission)
Cpublic boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission)
Dpublic boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission)
Attempts:
2 left
💡 Hint
Check the PermissionEvaluator interface method signatures.
🔧 Debug
advanced
2:30remaining
Why does the custom permission evaluator always deny access even when the user has the correct authority?
Given this custom permission evaluator code, why does it always deny access? public class CustomPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) { return auth.getAuthorities().stream() .anyMatch(grantedAuthority -> grantedAuthority.getAuthority().equals(permission.toString())); } @Override public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission) { return false; } } User has authority "read" but access is denied.
AThe authorities list is empty because authentication is null.
BThe permission object passed is not a String, so equals comparison fails.
CThe hasPermission method with targetId and targetType always returns false, causing denial.
DThe permission evaluator is not registered as a bean, so it is not used.
Attempts:
2 left
💡 Hint
Check the type and value of the permission parameter in the equals check.
🧠 Conceptual
advanced
1:30remaining
What is the role of the custom permission evaluator in Spring Security?
In Spring Security, what is the main purpose of implementing a custom permission evaluator?
ATo handle session management and timeout policies.
BTo replace the AuthenticationManager for user login authentication.
CTo configure HTTP security rules like URL patterns and roles.
DTo provide fine-grained access control by evaluating permissions dynamically at method or domain object level.
Attempts:
2 left
💡 Hint
Think about what permission evaluation means beyond simple role checks.
state_output
expert
2:00remaining
What is the value of 'result' after evaluating this Spring EL expression with a custom permission evaluator?
Assume a method annotated with @PreAuthorize("hasPermission(#doc, 'write')") is called with a document object doc. The custom permission evaluator returns true only if the user has 'write' authority. Given the user has authorities ['read', 'write'], what is the value of the boolean variable result after evaluating the expression hasPermission(doc, 'write')?
Spring Boot
Authentication auth = // user with authorities ['read', 'write']
Document doc = new Document();
boolean result = customPermissionEvaluator.hasPermission(auth, doc, "write");
Atrue
Bfalse
Cnull
DThrows AccessDeniedException
Attempts:
2 left
💡 Hint
Check if the user authorities contain the required permission string.