Bird
Raised Fist0
Spring Bootframework~5 mins

Custom permission evaluator in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a Custom Permission Evaluator in Spring Security?
A Custom Permission Evaluator is a class that implements Spring Security's PermissionEvaluator interface to define fine-grained access control logic beyond simple role checks.
Click to reveal answer
beginner
Which interface must you implement to create a Custom Permission Evaluator?
You must implement the PermissionEvaluator interface, which requires defining the methods hasPermission(Authentication, Object, Object) and hasPermission(Authentication, Serializable, String, Object).
Click to reveal answer
intermediate
How does Spring Security use a Custom Permission Evaluator in method security?
Spring Security calls the hasPermission methods of your Custom Permission Evaluator when you use expressions like @PreAuthorize("hasPermission(...)") to decide if access should be granted.
Click to reveal answer
intermediate
What are the two main methods you must override in a Custom Permission Evaluator?
The two methods are: hasPermission(Authentication authentication, Object targetDomainObject, Object permission) and hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission).
Click to reveal answer
intermediate
Why would you use a Custom Permission Evaluator instead of simple role-based checks?
Because it allows you to check permissions based on the actual domain object or context, enabling more precise and flexible security rules than just checking user roles.
Click to reveal answer
Which interface do you implement to create a Custom Permission Evaluator in Spring Security?
AAuthenticationProvider
BUserDetailsService
CAccessDecisionVoter
DPermissionEvaluator
What annotation commonly uses hasPermission expressions to invoke a Custom Permission Evaluator?
A@PreAuthorize
B@Controller
C@Service
D@Entity
Which method signature is NOT part of the PermissionEvaluator interface?
AhasPermission(Authentication, Object, Object)
BhasPermission(Authentication, String, Object)
ChasPermission(Authentication, Serializable, String, Object)
DNone of the above
What does the 'targetDomainObject' parameter represent in hasPermission method?
AThe HTTP request
BThe user's role
CThe domain object to check permission against
DThe authentication token
Why is a Custom Permission Evaluator useful?
ATo implement complex, object-level security rules
BTo replace the entire Spring Security framework
CTo manage database connections
DTo handle user login forms
Explain how to create and use a Custom Permission Evaluator in Spring Security.
Think about the interface, methods, and how Spring Security calls it.
You got /4 concepts.
    Describe the difference between role-based access control and permission evaluation with a Custom Permission Evaluator.
    Consider the level of detail in access decisions.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a Custom PermissionEvaluator in Spring Boot security?
      easy
      A. To handle database connections securely
      B. To replace the entire Spring Security framework
      C. To define custom rules for checking user permissions in a reusable way
      D. To manage user sessions automatically

      Solution

      1. Step 1: Understand the role of PermissionEvaluator

        The PermissionEvaluator interface allows defining custom logic to check if a user has permission to perform an action.

      2. Step 2: Identify the purpose of custom implementation

        Implementing a custom PermissionEvaluator lets you write your own rules that can be reused across your application for security checks.

      3. Final Answer:

        To define custom rules for checking user permissions in a reusable way -> Option C

      4. Quick Check:

        Custom PermissionEvaluator = Custom reusable permission rules [OK]
      Hint: Custom PermissionEvaluator defines reusable permission rules [OK]
      Common Mistakes:
      • Thinking it replaces Spring Security entirely
      • Confusing it with session management
      • Assuming it manages database connections
      2. Which method must you override when implementing a PermissionEvaluator to check permissions based on a target domain object?
      easy
      A. checkPermission(Authentication authentication, String permission)
      B. hasPermission(Authentication authentication, Object targetDomainObject, Object permission)
      C. evaluatePermission(User user, String permission)
      D. validatePermission(Object targetDomainObject)

      Solution

      1. Step 1: Recall PermissionEvaluator interface methods

        PermissionEvaluator has two methods: one with targetDomainObject and one with targetId and targetType.

      2. Step 2: Identify the method for domain object permission check

        The method hasPermission(Authentication authentication, Object targetDomainObject, Object permission) is used to check permissions on a domain object.

      3. Final Answer:

        hasPermission(Authentication authentication, Object targetDomainObject, Object permission) -> Option B

      4. Quick Check:

        Domain object permission method = hasPermission with targetDomainObject [OK]
      Hint: Override hasPermission with targetDomainObject for object checks [OK]
      Common Mistakes:
      • Choosing methods not in PermissionEvaluator interface
      • Confusing method parameters
      • Using method names that don't exist
      3. Given this custom PermissionEvaluator method snippet:
      public boolean hasPermission(Authentication auth, Object target, Object perm) {
  if (auth == null || target == null || !(perm instanceof String)) {
    return false;
  }
  String permission = (String) perm;
  User user = (User) auth.getPrincipal();
  return user.getRoles().contains(permission);
}

      What will be the result if auth is null?
      medium
      A. Returns false immediately
      B. Throws NullPointerException
      C. Returns true by default
      D. Ignores null and continues

      Solution

      1. Step 1: Analyze the null check at method start

        The method checks if auth is null and returns false immediately if so.

      2. Step 2: Understand the flow when auth is null

        Since auth == null triggers return false, no further code runs and no exception occurs.

      3. Final Answer:

        Returns false immediately -> Option A

      4. Quick Check:

        Null auth returns false immediately [OK]
      Hint: Null checks return false early to avoid exceptions [OK]
      Common Mistakes:
      • Assuming NullPointerException will be thrown
      • Thinking it returns true by default
      • Ignoring the null check logic
      4. You wrote this custom PermissionEvaluator method:
      public boolean hasPermission(Authentication auth, Object target, Object perm) {
  String permission = (String) perm;
  User user = (User) auth.getPrincipal();
  return user.getRoles().contains(permission);
}

      What is the main problem with this code?
      medium
      A. It should return true by default
      B. Casting perm to String is unnecessary
      C. User roles cannot be checked this way
      D. It lacks null checks and may throw NullPointerException

      Solution

      1. Step 1: Check for missing null validations

        The method does not check if auth, perm, or auth.getPrincipal() are null before casting or calling methods.

      2. Step 2: Understand consequences of missing null checks

        If any are null, the code will throw NullPointerException at runtime.

      3. Final Answer:

        It lacks null checks and may throw NullPointerException -> Option D

      4. Quick Check:

        Missing null checks cause runtime exceptions [OK]
      Hint: Always add null checks before casting or method calls [OK]
      Common Mistakes:
      • Ignoring null safety
      • Thinking casting is always safe
      • Assuming roles check is invalid
      5. You want to create a custom PermissionEvaluator that allows a user to edit a document only if they have the "EDITOR" role and the document status is "DRAFT".
      Which code snippet correctly implements this logic inside hasPermission?
      hard
      A. if (auth == null || target == null) return false; User user = (User) auth.getPrincipal(); Document doc = (Document) target; return user.getRoles().contains("EDITOR") && "DRAFT".equals(doc.getStatus());
      B. User user = (User) auth.getPrincipal(); Document doc = (Document) target; return user.getRoles().contains("EDITOR") || doc.getStatus().equals("DRAFT");
      C. if (auth == null) return true; Document doc = (Document) target; return doc.getStatus() == "DRAFT";
      D. User user = (User) auth.getPrincipal(); return user.getRoles().contains("EDITOR");

      Solution

      1. Step 1: Check for null authentication and target

        Security checks should return false if authentication or target is null to avoid errors.

      2. Step 2: Verify user role and document status conditions

        The user must have "EDITOR" role and the document status must be exactly "DRAFT" for permission to be granted.

      3. Step 3: Confirm correct logical operator usage

        Both conditions must be true, so use logical AND (&&), not OR (||).

      4. Final Answer:

        if (auth == null || target == null) return false; User user = (User) auth.getPrincipal(); Document doc = (Document) target; return user.getRoles().contains("EDITOR") && "DRAFT".equals(doc.getStatus()); -> Option A

      5. Quick Check:

        Check nulls + role AND status = correct logic [OK]
      Hint: Use && to combine role and status checks with null safety [OK]
      Common Mistakes:
      • Using || instead of && for both conditions
      • Not checking for null auth or target
      • Comparing strings with == instead of equals()