Bird
Raised Fist0
Spring Bootframework~10 mins

Method-level security in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Method-level security
User sends request
Spring Security Intercepts
Check method annotation
Evaluate security expression
Yes No
Allow method
Execute method
When a user calls a method, Spring Security checks the method's security annotation, evaluates if the user has permission, then allows or denies access accordingly.
Execution Sample
Spring Boot
@PreAuthorize("hasRole('ADMIN')")
public String adminOnly() {
    return "Secret Data";
}
This method only runs if the user has the ADMIN role; otherwise, access is denied.
Execution Table
StepActionSecurity CheckResultMethod Execution
1User calls adminOnly()Check @PreAuthorize("hasRole('ADMIN')")User roles: USERAccess Denied, method NOT executed
2User calls adminOnly()Check @PreAuthorize("hasRole('ADMIN')")User roles: ADMINAccess Allowed, method executed, returns "Secret Data"
💡 Execution stops if user lacks ADMIN role; method runs only if user has ADMIN role.
Variable Tracker
VariableStartAfter Step 1After Step 2
userRoles[][USER][ADMIN]
accessGrantedfalsefalsetrue
methodOutputnullnull"Secret Data"
Key Moments - 3 Insights
Why does the method not run when the user role is USER?
Because the @PreAuthorize annotation requires ADMIN role. Execution_table row 1 shows access denied due to missing ADMIN role.
What happens if the user has the ADMIN role?
The security check passes, allowing method execution. Execution_table row 2 shows method runs and returns data.
Is the method code executed before or after the security check?
The security check happens first. If it fails, the method is never executed, as shown in execution_table row 1.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the value of accessGranted at step 2?
Anull
Bfalse
Ctrue
Dundefined
💡 Hint
Check the 'accessGranted' column in variable_tracker after Step 2.
At which step does the method execution get blocked?
AStep 1
BStep 2
CBoth steps
DNever blocked
💡 Hint
Look at execution_table row 1 where access is denied and method is not executed.
If the user role changes from USER to ADMIN, what changes in the execution table?
ASecurity check is skipped
BAccess changes from denied to allowed
CMethod output becomes null
DUser roles become empty
💡 Hint
Compare rows 1 and 2 in execution_table for access and method execution.
Concept Snapshot
Method-level security in Spring Boot uses annotations like @PreAuthorize.
Spring Security checks user roles before running a method.
If the user lacks permission, the method is blocked.
If allowed, the method runs and returns its result.
This protects sensitive methods easily and clearly.
Full Transcript
Method-level security in Spring Boot means protecting individual methods by checking user permissions before running them. When a user calls a method annotated with @PreAuthorize, Spring Security intercepts the call and checks if the user has the required role or permission. If the user does not have the right role, the method is not executed and access is denied. If the user has the role, the method runs normally and returns its result. This approach helps keep sensitive parts of the application safe by controlling access at the method level.

Practice

(1/5)
1. What is the main purpose of using @PreAuthorize in Spring Boot method-level security?
easy
A. To log method execution time
B. To restrict access to a method based on user roles or permissions
C. To automatically retry failed method calls
D. To inject dependencies into a method

Solution

  1. Step 1: Understand the role of @PreAuthorize

    @PreAuthorize is an annotation used to secure methods by specifying access rules based on roles or permissions.

  2. Step 2: Identify the correct purpose

    It restricts method access to users who meet the specified security expression, such as having a certain role.

  3. Final Answer:

    To restrict access to a method based on user roles or permissions -> Option B

  4. Quick Check:

    Method-level security = restrict access [OK]
Hint: Remember: @PreAuthorize controls who can call a method [OK]
Common Mistakes:
  • Confusing @PreAuthorize with logging or retry mechanisms
  • Thinking it injects dependencies
  • Assuming it runs code before method execution without security checks
2. Which of the following is the correct syntax to restrict a method to users with role 'ADMIN' using @PreAuthorize?
easy
A. @PreAuthorize("checkRole('ADMIN')")
B. @PreAuthorize("hasPermission('ADMIN')")
C. @PreAuthorize("isUser('ADMIN')")
D. @PreAuthorize("hasRole('ADMIN')")

Solution

  1. Step 1: Recall the correct expression for role checking

    The correct Spring Security expression to check a role is hasRole('ROLE_NAME').

  2. Step 2: Match the syntax

    @PreAuthorize("hasRole('ADMIN')") uses hasRole('ADMIN'), which is the standard and correct syntax.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN')") -> Option D

  4. Quick Check:

    Role check syntax = hasRole('ROLE') [OK]
Hint: Use hasRole('ROLE') inside @PreAuthorize for role checks [OK]
Common Mistakes:
  • Using hasPermission instead of hasRole for roles
  • Using non-existent expressions like isUser or checkRole
  • Missing quotes or wrong method names
3. Given the method below, what will happen if a user without the 'USER' role calls getUserData()? 
@PreAuthorize("hasRole('USER')")
public String getUserData() {
    return "User Data";
}
medium
A. The method returns null
B. The method returns "User Data" normally
C. AccessDeniedException is thrown and method is not executed
D. The method executes but logs a warning

Solution

  1. Step 1: Understand the effect of @PreAuthorize with hasRole

    The annotation blocks method execution if the user does not have the required role.

  2. Step 2: Identify the behavior when role is missing

    Spring Security throws an AccessDeniedException and prevents the method from running.

  3. Final Answer:

    AccessDeniedException is thrown and method is not executed -> Option C

  4. Quick Check:

    Missing role = AccessDeniedException [OK]
Hint: No role? Method blocked with AccessDeniedException [OK]
Common Mistakes:
  • Thinking method returns null instead of throwing exception
  • Assuming method runs but logs warning
  • Believing method returns data regardless of role
4. Identify the error in the following method-level security annotation: 
@PreAuthorize("hasRole(ADMIN)")
public void deleteUser() {
    // delete logic
}
medium
A. Missing quotes around 'ADMIN' in hasRole expression
B. Method should return a value, not void
C. Annotation should be @PostAuthorize instead of @PreAuthorize
D. No error, the code is correct

Solution

  1. Step 1: Check the syntax of hasRole expression

    The role name must be a string inside quotes, like hasRole('ADMIN').

  2. Step 2: Identify the missing quotes

    The code uses hasRole(ADMIN) without quotes, causing a syntax error.

  3. Final Answer:

    Missing quotes around 'ADMIN' in hasRole expression -> Option A

  4. Quick Check:

    Role names need quotes in hasRole [OK]
Hint: Always put role names in quotes inside hasRole() [OK]
Common Mistakes:
  • Forgetting quotes around role names
  • Confusing @PreAuthorize with @PostAuthorize
  • Thinking void methods cannot be secured
5. You want to secure a method so that only users with role 'ADMIN' or with permission 'WRITE_PRIVILEGE' can access it. Which @PreAuthorize expression correctly implements this?
hard
A. @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')")
B. @PreAuthorize("hasRole('ADMIN') && hasPermission('WRITE_PRIVILEGE')")
C. @PreAuthorize("hasRole('ADMIN') xor hasPermission('WRITE_PRIVILEGE')")
D. @PreAuthorize("hasRole('ADMIN') and hasPermission('WRITE_PRIVILEGE')")

Solution

  1. Step 1: Understand the requirement for access

    The method should allow access if the user has either the 'ADMIN' role or the 'WRITE_PRIVILEGE' permission.

  2. Step 2: Choose the correct logical operator

    The logical OR operator or allows access if either condition is true, matching the requirement.

  3. Step 3: Verify syntax correctness

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") uses or and correct method calls with quotes, making it valid.

  4. Final Answer:

    @PreAuthorize("hasRole('ADMIN') or hasPermission('WRITE_PRIVILEGE')") -> Option A

  5. Quick Check:

    Use 'or' to allow either role or permission [OK]
Hint: Use 'or' to combine role and permission checks [OK]
Common Mistakes:
  • Using 'and' instead of 'or' when either condition suffices
  • Using '&&' which is invalid in SpEL expressions
  • Confusing xor with or logic