Bird
Raised Fist0
Spring Bootframework~5 mins

Method-level security in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is method-level security in Spring Boot?
Method-level security in Spring Boot means protecting individual methods in your code so only authorized users can run them. It controls access right where the action happens.
Click to reveal answer
beginner
Which annotation is commonly used to secure methods by roles in Spring Boot?
The @PreAuthorize annotation is used to specify security rules before a method runs, like checking if a user has a certain role.
Click to reveal answer
intermediate
How do you enable method-level security in a Spring Boot application?
You enable method-level security by adding @EnableMethodSecurity to a configuration class. This tells Spring to check security annotations on methods.
Click to reveal answer
intermediate
What does @Secured annotation do in Spring Boot?
@Secured restricts method access to users with specific roles. It is simpler than @PreAuthorize but less flexible.
Click to reveal answer
advanced
Why is method-level security useful compared to URL-based security?
Method-level security protects the actual business logic, so even if someone bypasses the web layer, they can't run protected methods. It adds a strong safety net.
Click to reveal answer
Which annotation enables method-level security in Spring Boot?
A@EnableWebSecurity
B@EnableMethodSecurity
C@EnableGlobalMethodSecurity
D@EnableSecurity
What does @PreAuthorize("hasRole('ADMIN')") do?
AAllows only users with ADMIN role to run the method
BPrevents ADMIN users from running the method
CRuns the method before authorization
DLogs the ADMIN role before method execution
Which annotation is simpler but less flexible than @PreAuthorize for method security?
A@Secured
B@RolesAllowed
C@PostAuthorize
D@PermitAll
Where do you place method-level security annotations?
AOn entity classes
BOnly on controller classes
COnly on configuration classes
DOn service or controller methods
Why use method-level security in addition to URL security?
ATo avoid writing any URL security
BTo speed up the application
CTo protect business logic even if URL security is bypassed
DTo allow all users access
Explain how to secure a method in Spring Boot using annotations.
Think about what you add to your config and what you add to your methods.
You got /3 concepts.
    Describe the benefits of method-level security compared to only URL-based security.
    Consider what happens if someone tries to call methods without going through the web.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of using @PreAuthorize in Spring Boot method-level security?
      easy
      A. To log method execution time
      B. To restrict access to a method based on user roles or permissions
      C. To automatically retry failed method calls
      D. To inject dependencies into a method

      Solution

      1. Step 1: Understand the role of @PreAuthorize

        @PreAuthorize is an annotation used to secure methods by specifying access rules based on roles or permissions.

      2. Step 2: Identify the correct purpose

        It restricts method access to users who meet the specified security expression, such as having a certain role.

      3. Final Answer:

        To restrict access to a method based on user roles or permissions -> Option B

      4. Quick Check:

        Method-level security = restrict access [OK]
      Hint: Remember: @PreAuthorize controls who can call a method [OK]
      Common Mistakes:
      • Confusing @PreAuthorize with logging or retry mechanisms
      • Thinking it injects dependencies
      • Assuming it runs code before method execution without security checks
      2. Which of the following is the correct syntax to restrict a method to users with role 'ADMIN' using @PreAuthorize?
      easy
      A. @PreAuthorize("checkRole('ADMIN')")
      B. @PreAuthorize("hasPermission('ADMIN')")
      C. @PreAuthorize("isUser('ADMIN')")
      D. @PreAuthorize("hasRole('ADMIN')")

      Solution

      1. Step 1: Recall the correct expression for role checking

        The correct Spring Security expression to check a role is hasRole('ROLE_NAME').

      2. Step 2: Match the syntax

        @PreAuthorize("hasRole('ADMIN')") uses hasRole('ADMIN'), which is the standard and correct syntax.

      3. Final Answer:

        @PreAuthorize("hasRole('ADMIN')") -> Option D

      4. Quick Check:

        Role check syntax = hasRole('ROLE') [OK]
      Hint: Use hasRole('ROLE') inside @PreAuthorize for role checks [OK]
      Common Mistakes:
      • Using hasPermission instead of hasRole for roles
      • Using non-existent expressions like isUser or checkRole
      • Missing quotes or wrong method names
      3. Given the method below, what will happen if a user without the 'USER' role calls getUserData()? 
      @PreAuthorize("hasRole('USER')")
public String getUserData() {
    return "User Data";
}
      medium
      A. The method returns null
      B. The method returns "User Data" normally
      C. AccessDeniedException is thrown and method is not executed
      D. The method executes but logs a warning

      Solution

      1. Step 1: Understand the effect of @PreAuthorize with hasRole

        The annotation blocks method execution if the user does not have the required role.

      2. Step 2: Identify the behavior when role is missing

        Spring Security throws an AccessDeniedException and prevents the method from running.

      3. Final Answer:

        AccessDeniedException is thrown and method is not executed -> Option C

      4. Quick Check:

        Missing role = AccessDeniedException [OK]
      Hint: No role? Method blocked with AccessDeniedException [OK]
      Common Mistakes:
      • Thinking method returns null instead of throwing exception
      • Assuming method runs but logs warning
      • Believing method returns data regardless of role
      4. Identify the error in the following method-level security annotation: 
      @PreAuthorize("hasRole(ADMIN)")
public void deleteUser() {
    // delete logic
}
      medium
      A. Missing quotes around 'ADMIN' in hasRole expression
      B. Method should return a value, not void
      C. Annotation should be @PostAuthorize instead of @PreAuthorize
      D. No error, the code is correct

      Solution

      1. Step 1: Check the syntax of hasRole expression

        The role name must be a string inside quotes, like hasRole('ADMIN').

      2. Step 2: Identify the missing quotes

        The code uses hasRole(ADMIN) without quotes, causing a syntax error.

      3. Final Answer:

        Missing quotes around 'ADMIN' in hasRole expression -> Option A

      4. Quick Check:

        Role names need quotes in hasRole [OK]
      Hint: Always put role names in quotes inside hasRole() [OK]
      Common Mistakes:
      • Forgetting quotes around role names
      • Confusing @PreAuthorize with @PostAuthorize
      • Thinking void methods cannot be secured
      5. You want to secure a method so that only users with role 'ADMIN' or with permission 'WRITE_PRIVILEGE' can access it. Which @PreAuthorize expression correctly implements this?
      hard
      A. @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')")
      B. @PreAuthorize("hasRole('ADMIN') && hasPermission('WRITE_PRIVILEGE')")
      C. @PreAuthorize("hasRole('ADMIN') xor hasPermission('WRITE_PRIVILEGE')")
      D. @PreAuthorize("hasRole('ADMIN') and hasPermission('WRITE_PRIVILEGE')")

      Solution

      1. Step 1: Understand the requirement for access

        The method should allow access if the user has either the 'ADMIN' role or the 'WRITE_PRIVILEGE' permission.

      2. Step 2: Choose the correct logical operator

        The logical OR operator or allows access if either condition is true, matching the requirement.

      3. Step 3: Verify syntax correctness

        @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") uses or and correct method calls with quotes, making it valid.

      4. Final Answer:

        @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") -> Option A

      5. Quick Check:

        Use 'or' to allow either role or permission [OK]
      Hint: Use 'or' to combine role and permission checks [OK]
      Common Mistakes:
      • Using 'and' instead of 'or' when either condition suffices
      • Using '&&' which is invalid in SpEL expressions
      • Confusing xor with or logic