Bird
Raised Fist0
Spring Bootframework~10 mins

Method-level security in Spring Boot - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to enable method-level security in a Spring Boot application.

Spring Boot
@Configuration
@Enable[1]
public class SecurityConfig {
}
Drag options to blanks, or click blank then click option'
AWebSecurity
BEnableSecurity
CMethodSecurity
DGlobalMethodSecurity
Attempts:
3 left
💡 Hint
Common Mistakes
Using @EnableWebSecurity instead of @EnableGlobalMethodSecurity
Misspelling the annotation name
Not adding any annotation
2fill in blank
medium

Complete the code to restrict access to the method to users with the role 'ADMIN'.

Spring Boot
@PreAuthorize("hasRole('[1]')")
public void deleteUser(Long id) {
    // method body
}
Drag options to blanks, or click blank then click option'
AUSER
BADMIN
CGUEST
DMANAGER
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'ROLE_ADMIN' instead of 'ADMIN' inside hasRole
Using a role that does not exist
Forgetting to add @PreAuthorize
3fill in blank
hard

Fix the error in the method-level security annotation to allow access only if the user has 'USER' role and the id matches the authenticated user's id.

Spring Boot
@PreAuthorize("hasRole('[1]') and #id == authentication.principal.id")
public void updateProfile(Long id) {
    // method body
}
Drag options to blanks, or click blank then click option'
AADMIN
BGUEST
CUSER
DMANAGER
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'ADMIN' role which is too restrictive
Using 'GUEST' role which is too permissive
Incorrect SpEL expression syntax
4fill in blank
hard

Fill both blanks to create a method that allows access only if the user has 'ADMIN' role or the user id matches the authenticated user's id.

Spring Boot
@PreAuthorize("hasRole('[1]') or #id [2] authentication.principal.id")
public void accessResource(Long id) {
    // method body
}
Drag options to blanks, or click blank then click option'
AADMIN
B==
C!=
DUSER
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'USER' role instead of 'ADMIN'
Using '!=' operator which denies access when ids match
Forgetting to use # before id in SpEL
5fill in blank
hard

Fill all three blanks to create a method that allows access only if the user has 'MANAGER' role and the department matches the authenticated user's department.

Spring Boot
@PreAuthorize("hasRole('[1]') and #dept [2] authentication.principal.[3]")
public void manageDepartment(String dept) {
    // method body
}
Drag options to blanks, or click blank then click option'
AMANAGER
B==
Cdepartment
DUSER
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'USER' role instead of 'MANAGER'
Using '!=' operator which denies access when departments match
Using wrong property name instead of 'department'

Practice

(1/5)
1. What is the main purpose of using @PreAuthorize in Spring Boot method-level security?
easy
A. To log method execution time
B. To restrict access to a method based on user roles or permissions
C. To automatically retry failed method calls
D. To inject dependencies into a method

Solution

  1. Step 1: Understand the role of @PreAuthorize

    @PreAuthorize is an annotation used to secure methods by specifying access rules based on roles or permissions.

  2. Step 2: Identify the correct purpose

    It restricts method access to users who meet the specified security expression, such as having a certain role.

  3. Final Answer:

    To restrict access to a method based on user roles or permissions -> Option B

  4. Quick Check:

    Method-level security = restrict access [OK]
Hint: Remember: @PreAuthorize controls who can call a method [OK]
Common Mistakes:
  • Confusing @PreAuthorize with logging or retry mechanisms
  • Thinking it injects dependencies
  • Assuming it runs code before method execution without security checks
2. Which of the following is the correct syntax to restrict a method to users with role 'ADMIN' using @PreAuthorize?
easy
A. @PreAuthorize("checkRole('ADMIN')")
B. @PreAuthorize("hasPermission('ADMIN')")
C. @PreAuthorize("isUser('ADMIN')")
D. @PreAuthorize("hasRole('ADMIN')")

Solution

  1. Step 1: Recall the correct expression for role checking

    The correct Spring Security expression to check a role is hasRole('ROLE_NAME').

  2. Step 2: Match the syntax

    @PreAuthorize("hasRole('ADMIN')") uses hasRole('ADMIN'), which is the standard and correct syntax.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN')") -> Option D

  4. Quick Check:

    Role check syntax = hasRole('ROLE') [OK]
Hint: Use hasRole('ROLE') inside @PreAuthorize for role checks [OK]
Common Mistakes:
  • Using hasPermission instead of hasRole for roles
  • Using non-existent expressions like isUser or checkRole
  • Missing quotes or wrong method names
3. Given the method below, what will happen if a user without the 'USER' role calls getUserData()? 
@PreAuthorize("hasRole('USER')")
public String getUserData() {
    return "User Data";
}
medium
A. The method returns null
B. The method returns "User Data" normally
C. AccessDeniedException is thrown and method is not executed
D. The method executes but logs a warning

Solution

  1. Step 1: Understand the effect of @PreAuthorize with hasRole

    The annotation blocks method execution if the user does not have the required role.

  2. Step 2: Identify the behavior when role is missing

    Spring Security throws an AccessDeniedException and prevents the method from running.

  3. Final Answer:

    AccessDeniedException is thrown and method is not executed -> Option C

  4. Quick Check:

    Missing role = AccessDeniedException [OK]
Hint: No role? Method blocked with AccessDeniedException [OK]
Common Mistakes:
  • Thinking method returns null instead of throwing exception
  • Assuming method runs but logs warning
  • Believing method returns data regardless of role
4. Identify the error in the following method-level security annotation: 
@PreAuthorize("hasRole(ADMIN)")
public void deleteUser() {
    // delete logic
}
medium
A. Missing quotes around 'ADMIN' in hasRole expression
B. Method should return a value, not void
C. Annotation should be @PostAuthorize instead of @PreAuthorize
D. No error, the code is correct

Solution

  1. Step 1: Check the syntax of hasRole expression

    The role name must be a string inside quotes, like hasRole('ADMIN').

  2. Step 2: Identify the missing quotes

    The code uses hasRole(ADMIN) without quotes, causing a syntax error.

  3. Final Answer:

    Missing quotes around 'ADMIN' in hasRole expression -> Option A

  4. Quick Check:

    Role names need quotes in hasRole [OK]
Hint: Always put role names in quotes inside hasRole() [OK]
Common Mistakes:
  • Forgetting quotes around role names
  • Confusing @PreAuthorize with @PostAuthorize
  • Thinking void methods cannot be secured
5. You want to secure a method so that only users with role 'ADMIN' or with permission 'WRITE_PRIVILEGE' can access it. Which @PreAuthorize expression correctly implements this?
hard
A. @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')")
B. @PreAuthorize("hasRole('ADMIN') && hasPermission('WRITE_PRIVILEGE')")
C. @PreAuthorize("hasRole('ADMIN') xor hasPermission('WRITE_PRIVILEGE')")
D. @PreAuthorize("hasRole('ADMIN') and hasPermission('WRITE_PRIVILEGE')")

Solution

  1. Step 1: Understand the requirement for access

    The method should allow access if the user has either the 'ADMIN' role or the 'WRITE_PRIVILEGE' permission.

  2. Step 2: Choose the correct logical operator

    The logical OR operator or allows access if either condition is true, matching the requirement.

  3. Step 3: Verify syntax correctness

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") uses or and correct method calls with quotes, making it valid.

  4. Final Answer:

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") -> Option A

  5. Quick Check:

    Use 'or' to allow either role or permission [OK]
Hint: Use 'or' to combine role and permission checks [OK]
Common Mistakes:
  • Using 'and' instead of 'or' when either condition suffices
  • Using '&&' which is invalid in SpEL expressions
  • Confusing xor with or logic