Bird
Raised Fist0
Spring Bootframework~20 mins

Method-level security in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Method-Level Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a user without the required role calls a secured method?

Consider a Spring Boot service method annotated with @PreAuthorize("hasRole('ADMIN')"). What is the behavior when a user without the ADMIN role tries to invoke this method?

Spring Boot
public class UserService {
    @PreAuthorize("hasRole('ADMIN')")
    public String getAdminData() {
        return "Sensitive admin data";
    }
}
AA runtime AccessDeniedException is thrown before the method executes.
BThe application crashes with a NullPointerException.
CThe method returns null without throwing an error.
DThe method executes normally and returns the data.
Attempts:
2 left
💡 Hint

Think about what Spring Security does when access is denied at method level.

📝 Syntax
intermediate
2:00remaining
Which annotation correctly restricts method access to users with 'USER' role?

Choose the correct Spring Security annotation to restrict access to a method so only users with the USER role can call it.

A@RolesAllowed("ROLE_USER")
B@Secured("USER")
C@PreAuthorize("hasRole('USER')")
D@PreAuthorize("hasAuthority('USER')")
Attempts:
2 left
💡 Hint

Remember the exact syntax for @PreAuthorize and role prefixes.

state_output
advanced
2:00remaining
What is the output when a method with @PostAuthorize returns a filtered list?

Given the following method secured with @PostAuthorize, what will be the output if the user has the ADMIN role?

Spring Boot
public class ProductService {
    @PostAuthorize("returnObject.owner == authentication.name or hasRole('ADMIN')")
    public Product getProduct(int id) {
        return new Product(id, "Book", "user1");
    }
}

// User 'admin' calls getProduct(1)
AReturns the Product object with id 1 and owner 'user1'.
BReturns null because the user is not the owner.
CThrows AccessDeniedException because the user is not the owner.
DReturns a list of all products.
Attempts:
2 left
💡 Hint

Think about what @PostAuthorize does after method execution.

🔧 Debug
advanced
2:00remaining
Why does this @PreAuthorize expression cause a syntax error?

Identify the syntax error in this Spring Security method annotation:

@PreAuthorize("hasRole('ADMIN') && hasPermission(#id, 'read')")
AThe quotes around 'read' should be double quotes, not single quotes.
BThe expression uses '&&' which is invalid; it should use 'and'.
CThe method parameter '#id' is not accessible in the expression.
DThe annotation must be @PostAuthorize, not @PreAuthorize.
Attempts:
2 left
💡 Hint

Check the logical operators allowed in Spring Security SpEL expressions.

🧠 Conceptual
expert
3:00remaining
Which statement best describes method-level security with Spring AOP proxies?

In Spring Security, method-level security is often implemented using proxies. Which statement below is true about how this affects method calls within the same class?

AMethod-level security requires explicit calls to security methods inside the class.
BAll method calls, internal or external, go through the proxy and are secured.
CSecurity checks are applied only if methods are called from outside the application.
DInternal method calls within the same class bypass security checks because proxies are not involved.
Attempts:
2 left
💡 Hint

Think about how Spring AOP proxies work with self-invocation.

Practice

(1/5)
1. What is the main purpose of using @PreAuthorize in Spring Boot method-level security?
easy
A. To log method execution time
B. To restrict access to a method based on user roles or permissions
C. To automatically retry failed method calls
D. To inject dependencies into a method

Solution

  1. Step 1: Understand the role of @PreAuthorize

    @PreAuthorize is an annotation used to secure methods by specifying access rules based on roles or permissions.

  2. Step 2: Identify the correct purpose

    It restricts method access to users who meet the specified security expression, such as having a certain role.

  3. Final Answer:

    To restrict access to a method based on user roles or permissions -> Option B

  4. Quick Check:

    Method-level security = restrict access [OK]
Hint: Remember: @PreAuthorize controls who can call a method [OK]
Common Mistakes:
  • Confusing @PreAuthorize with logging or retry mechanisms
  • Thinking it injects dependencies
  • Assuming it runs code before method execution without security checks
2. Which of the following is the correct syntax to restrict a method to users with role 'ADMIN' using @PreAuthorize?
easy
A. @PreAuthorize("checkRole('ADMIN')")
B. @PreAuthorize("hasPermission('ADMIN')")
C. @PreAuthorize("isUser('ADMIN')")
D. @PreAuthorize("hasRole('ADMIN')")

Solution

  1. Step 1: Recall the correct expression for role checking

    The correct Spring Security expression to check a role is hasRole('ROLE_NAME').

  2. Step 2: Match the syntax

    @PreAuthorize("hasRole('ADMIN')") uses hasRole('ADMIN'), which is the standard and correct syntax.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN')") -> Option D

  4. Quick Check:

    Role check syntax = hasRole('ROLE') [OK]
Hint: Use hasRole('ROLE') inside @PreAuthorize for role checks [OK]
Common Mistakes:
  • Using hasPermission instead of hasRole for roles
  • Using non-existent expressions like isUser or checkRole
  • Missing quotes or wrong method names
3. Given the method below, what will happen if a user without the 'USER' role calls getUserData()? 
@PreAuthorize("hasRole('USER')")
public String getUserData() {
    return "User Data";
}
medium
A. The method returns null
B. The method returns "User Data" normally
C. AccessDeniedException is thrown and method is not executed
D. The method executes but logs a warning

Solution

  1. Step 1: Understand the effect of @PreAuthorize with hasRole

    The annotation blocks method execution if the user does not have the required role.

  2. Step 2: Identify the behavior when role is missing

    Spring Security throws an AccessDeniedException and prevents the method from running.

  3. Final Answer:

    AccessDeniedException is thrown and method is not executed -> Option C

  4. Quick Check:

    Missing role = AccessDeniedException [OK]
Hint: No role? Method blocked with AccessDeniedException [OK]
Common Mistakes:
  • Thinking method returns null instead of throwing exception
  • Assuming method runs but logs warning
  • Believing method returns data regardless of role
4. Identify the error in the following method-level security annotation: 
@PreAuthorize("hasRole(ADMIN)")
public void deleteUser() {
    // delete logic
}
medium
A. Missing quotes around 'ADMIN' in hasRole expression
B. Method should return a value, not void
C. Annotation should be @PostAuthorize instead of @PreAuthorize
D. No error, the code is correct

Solution

  1. Step 1: Check the syntax of hasRole expression

    The role name must be a string inside quotes, like hasRole('ADMIN').

  2. Step 2: Identify the missing quotes

    The code uses hasRole(ADMIN) without quotes, causing a syntax error.

  3. Final Answer:

    Missing quotes around 'ADMIN' in hasRole expression -> Option A

  4. Quick Check:

    Role names need quotes in hasRole [OK]
Hint: Always put role names in quotes inside hasRole() [OK]
Common Mistakes:
  • Forgetting quotes around role names
  • Confusing @PreAuthorize with @PostAuthorize
  • Thinking void methods cannot be secured
5. You want to secure a method so that only users with role 'ADMIN' or with permission 'WRITE_PRIVILEGE' can access it. Which @PreAuthorize expression correctly implements this?
hard
A. @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')")
B. @PreAuthorize("hasRole('ADMIN') && hasPermission('WRITE_PRIVILEGE')")
C. @PreAuthorize("hasRole('ADMIN') xor hasPermission('WRITE_PRIVILEGE')")
D. @PreAuthorize("hasRole('ADMIN') and hasPermission('WRITE_PRIVILEGE')")

Solution

  1. Step 1: Understand the requirement for access

    The method should allow access if the user has either the 'ADMIN' role or the 'WRITE_PRIVILEGE' permission.

  2. Step 2: Choose the correct logical operator

    The logical OR operator or allows access if either condition is true, matching the requirement.

  3. Step 3: Verify syntax correctness

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") uses or and correct method calls with quotes, making it valid.

  4. Final Answer:

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") -> Option A

  5. Quick Check:

    Use 'or' to allow either role or permission [OK]
Hint: Use 'or' to combine role and permission checks [OK]
Common Mistakes:
  • Using 'and' instead of 'or' when either condition suffices
  • Using '&&' which is invalid in SpEL expressions
  • Confusing xor with or logic