0
0
Spring Bootframework~20 mins

Method-level security in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Method-Level Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a user without the required role calls a secured method?

Consider a Spring Boot service method annotated with @PreAuthorize("hasRole('ADMIN')"). What is the behavior when a user without the ADMIN role tries to invoke this method?

Spring Boot
public class UserService {
    @PreAuthorize("hasRole('ADMIN')")
    public String getAdminData() {
        return "Sensitive admin data";
    }
}
AA runtime AccessDeniedException is thrown before the method executes.
BThe application crashes with a NullPointerException.
CThe method returns null without throwing an error.
DThe method executes normally and returns the data.
Attempts:
2 left
💡 Hint

Think about what Spring Security does when access is denied at method level.

📝 Syntax
intermediate
2:00remaining
Which annotation correctly restricts method access to users with 'USER' role?

Choose the correct Spring Security annotation to restrict access to a method so only users with the USER role can call it.

A@RolesAllowed("ROLE_USER")
B@Secured("USER")
C@PreAuthorize("hasRole('USER')")
D@PreAuthorize("hasAuthority('USER')")
Attempts:
2 left
💡 Hint

Remember the exact syntax for @PreAuthorize and role prefixes.

state_output
advanced
2:00remaining
What is the output when a method with @PostAuthorize returns a filtered list?

Given the following method secured with @PostAuthorize, what will be the output if the user has the ADMIN role?

Spring Boot
public class ProductService {
    @PostAuthorize("returnObject.owner == authentication.name or hasRole('ADMIN')")
    public Product getProduct(int id) {
        return new Product(id, "Book", "user1");
    }
}

// User 'admin' calls getProduct(1)
AReturns the Product object with id 1 and owner 'user1'.
BReturns null because the user is not the owner.
CThrows AccessDeniedException because the user is not the owner.
DReturns a list of all products.
Attempts:
2 left
💡 Hint

Think about what @PostAuthorize does after method execution.

🔧 Debug
advanced
2:00remaining
Why does this @PreAuthorize expression cause a syntax error?

Identify the syntax error in this Spring Security method annotation:

@PreAuthorize("hasRole('ADMIN') && hasPermission(#id, 'read')")
AThe quotes around 'read' should be double quotes, not single quotes.
BThe expression uses '&&' which is invalid; it should use 'and'.
CThe method parameter '#id' is not accessible in the expression.
DThe annotation must be @PostAuthorize, not @PreAuthorize.
Attempts:
2 left
💡 Hint

Check the logical operators allowed in Spring Security SpEL expressions.

🧠 Conceptual
expert
3:00remaining
Which statement best describes method-level security with Spring AOP proxies?

In Spring Security, method-level security is often implemented using proxies. Which statement below is true about how this affects method calls within the same class?

AMethod-level security requires explicit calls to security methods inside the class.
BAll method calls, internal or external, go through the proxy and are secured.
CSecurity checks are applied only if methods are called from outside the application.
DInternal method calls within the same class bypass security checks because proxies are not involved.
Attempts:
2 left
💡 Hint

Think about how Spring AOP proxies work with self-invocation.