Bird
Raised Fist0
Spring Bootframework~5 mins

Method-level security in Spring Boot

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Method-level security helps protect specific parts of your app by controlling who can use certain methods. It keeps your app safe by checking permissions right where the action happens.

You want to allow only certain users to run a specific function in your app.
You need to protect sensitive operations like deleting data or viewing private info.
You want to add security checks directly on service methods instead of the whole app.
You want to easily manage who can do what without changing your whole app setup.
Syntax
Spring Boot
@PreAuthorize("hasRole('ROLE_NAME')")
public ReturnType methodName(Parameters) {
    // method code
}

@PreAuthorize is an annotation that checks permissions before the method runs.

You can use expressions like hasRole('ROLE_NAME') to specify who can access the method.

Examples
This method can only be run by users with the ADMIN role.
Spring Boot
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long id) {
    // delete user code
}
This method requires the user to have the READ_PRIVILEGE authority.
Spring Boot
@PreAuthorize("hasAuthority('READ_PRIVILEGE')")
public List<Item> getItems() {
    // return items
}
This method allows users to update only their own profile by comparing names.
Spring Boot
@PreAuthorize("#user.name == authentication.name")
public void updateProfile(User user) {
    // update profile code
}
Sample Program

This service has two methods. viewAccount can be used by users with the USER role. deleteAccount can only be used by ADMINs. This shows how to protect methods based on roles.

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;

@Service
public class AccountService {

    @PreAuthorize("hasRole('USER')")
    public String viewAccount() {
        return "Account details visible";
    }

    @PreAuthorize("hasRole('ADMIN')")
    public String deleteAccount() {
        return "Account deleted";
    }
}
OutputSuccess
Important Notes

Enable method security in your Spring Boot app by adding @EnableMethodSecurity on a configuration class.

Use @PreAuthorize for checks before method runs, and @PostAuthorize for checks after method runs.

Make sure your security context is properly set up so roles and authorities are recognized.

Summary

Method-level security controls access to specific methods in your app.

Use @PreAuthorize with role or authority checks to protect methods.

This helps keep your app safe by checking permissions right where actions happen.

Practice

(1/5)
1. What is the main purpose of using @PreAuthorize in Spring Boot method-level security?
easy
A. To log method execution time
B. To restrict access to a method based on user roles or permissions
C. To automatically retry failed method calls
D. To inject dependencies into a method

Solution

  1. Step 1: Understand the role of @PreAuthorize

    @PreAuthorize is an annotation used to secure methods by specifying access rules based on roles or permissions.

  2. Step 2: Identify the correct purpose

    It restricts method access to users who meet the specified security expression, such as having a certain role.

  3. Final Answer:

    To restrict access to a method based on user roles or permissions -> Option B

  4. Quick Check:

    Method-level security = restrict access [OK]
Hint: Remember: @PreAuthorize controls who can call a method [OK]
Common Mistakes:
  • Confusing @PreAuthorize with logging or retry mechanisms
  • Thinking it injects dependencies
  • Assuming it runs code before method execution without security checks
2. Which of the following is the correct syntax to restrict a method to users with role 'ADMIN' using @PreAuthorize?
easy
A. @PreAuthorize("checkRole('ADMIN')")
B. @PreAuthorize("hasPermission('ADMIN')")
C. @PreAuthorize("isUser('ADMIN')")
D. @PreAuthorize("hasRole('ADMIN')")

Solution

  1. Step 1: Recall the correct expression for role checking

    The correct Spring Security expression to check a role is hasRole('ROLE_NAME').

  2. Step 2: Match the syntax

    @PreAuthorize("hasRole('ADMIN')") uses hasRole('ADMIN'), which is the standard and correct syntax.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN')") -> Option D

  4. Quick Check:

    Role check syntax = hasRole('ROLE') [OK]
Hint: Use hasRole('ROLE') inside @PreAuthorize for role checks [OK]
Common Mistakes:
  • Using hasPermission instead of hasRole for roles
  • Using non-existent expressions like isUser or checkRole
  • Missing quotes or wrong method names
3. Given the method below, what will happen if a user without the 'USER' role calls getUserData()? 
@PreAuthorize("hasRole('USER')")
public String getUserData() {
    return "User Data";
}
medium
A. The method returns null
B. The method returns "User Data" normally
C. AccessDeniedException is thrown and method is not executed
D. The method executes but logs a warning

Solution

  1. Step 1: Understand the effect of @PreAuthorize with hasRole

    The annotation blocks method execution if the user does not have the required role.

  2. Step 2: Identify the behavior when role is missing

    Spring Security throws an AccessDeniedException and prevents the method from running.

  3. Final Answer:

    AccessDeniedException is thrown and method is not executed -> Option C

  4. Quick Check:

    Missing role = AccessDeniedException [OK]
Hint: No role? Method blocked with AccessDeniedException [OK]
Common Mistakes:
  • Thinking method returns null instead of throwing exception
  • Assuming method runs but logs warning
  • Believing method returns data regardless of role
4. Identify the error in the following method-level security annotation: 
@PreAuthorize("hasRole(ADMIN)")
public void deleteUser() {
    // delete logic
}
medium
A. Missing quotes around 'ADMIN' in hasRole expression
B. Method should return a value, not void
C. Annotation should be @PostAuthorize instead of @PreAuthorize
D. No error, the code is correct

Solution

  1. Step 1: Check the syntax of hasRole expression

    The role name must be a string inside quotes, like hasRole('ADMIN').

  2. Step 2: Identify the missing quotes

    The code uses hasRole(ADMIN) without quotes, causing a syntax error.

  3. Final Answer:

    Missing quotes around 'ADMIN' in hasRole expression -> Option A

  4. Quick Check:

    Role names need quotes in hasRole [OK]
Hint: Always put role names in quotes inside hasRole() [OK]
Common Mistakes:
  • Forgetting quotes around role names
  • Confusing @PreAuthorize with @PostAuthorize
  • Thinking void methods cannot be secured
5. You want to secure a method so that only users with role 'ADMIN' or with permission 'WRITE_PRIVILEGE' can access it. Which @PreAuthorize expression correctly implements this?
hard
A. @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')")
B. @PreAuthorize("hasRole('ADMIN') && hasPermission('WRITE_PRIVILEGE')")
C. @PreAuthorize("hasRole('ADMIN') xor hasPermission('WRITE_PRIVILEGE')")
D. @PreAuthorize("hasRole('ADMIN') and hasPermission('WRITE_PRIVILEGE')")

Solution

  1. Step 1: Understand the requirement for access

    The method should allow access if the user has either the 'ADMIN' role or the 'WRITE_PRIVILEGE' permission.

  2. Step 2: Choose the correct logical operator

    The logical OR operator or allows access if either condition is true, matching the requirement.

  3. Step 3: Verify syntax correctness

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") uses or and correct method calls with quotes, making it valid.

  4. Final Answer:

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") -> Option A

  5. Quick Check:

    Use 'or' to allow either role or permission [OK]
Hint: Use 'or' to combine role and permission checks [OK]
Common Mistakes:
  • Using 'and' instead of 'or' when either condition suffices
  • Using '&&' which is invalid in SpEL expressions
  • Confusing xor with or logic