Bird
Raised Fist0
Spring Bootframework~5 mins

@PreAuthorize annotation in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of the @PreAuthorize annotation in Spring Boot?
The @PreAuthorize annotation is used to check if a user has the required permissions before allowing access to a method. It helps secure methods by defining access rules using expressions.
Click to reveal answer
beginner
How do you enable the use of @PreAuthorize annotations in a Spring Boot application?
You enable @PreAuthorize by adding @EnableMethodSecurity (or @EnableGlobalMethodSecurity(prePostEnabled = true) in older versions) to a configuration class. This activates method-level security checks.
Click to reveal answer
intermediate
What kind of expressions can you use inside @PreAuthorize?
You can use Spring Expression Language (SpEL) expressions like hasRole('ADMIN'), hasAuthority('permission'), or complex logical expressions combining roles and permissions.
Click to reveal answer
beginner
Example: What does @PreAuthorize("hasRole('ADMIN')") do?
It allows only users with the role ADMIN to access the annotated method. If the user lacks this role, access is denied before the method runs.
Click to reveal answer
intermediate
Can @PreAuthorize check conditions based on method parameters?
Yes, @PreAuthorize can use method parameters in expressions, for example: @PreAuthorize("#userId == authentication.principal.id") to allow access only if the user ID matches the logged-in user.
Click to reveal answer
What annotation must be added to enable @PreAuthorize in Spring Boot?
A<code>@EnableMethodSecurity</code>
B<code>@EnableWebSecurity</code>
C<code>@SpringBootApplication</code>
D<code>@ComponentScan</code>
Which expression checks if a user has the role 'USER' inside @PreAuthorize?
AhasRole('USER')
BhasAuthority('USER')
CisAuthenticated()
DpermitAll()
What happens if a user fails the @PreAuthorize check?
AMethod runs but returns null
BAccess is denied and method is not executed
CUser is redirected automatically
DMethod runs with limited permissions
Can @PreAuthorize use method parameters in its expression?
AOnly if parameters are primitive types
BNo, it only checks user roles
CYes, using parameter names with #
DOnly in controller classes
Which of these is a valid @PreAuthorize expression?
AisAnonymous() or hasAuthority('USER')
BpermitAll()
CallUsers()
DhasRole('ADMIN') and #id == authentication.principal.id
Explain how the @PreAuthorize annotation secures a method in Spring Boot.
Think about how you stop someone from entering a room unless they have a key.
You got /4 concepts.
    Describe how you would restrict a method to only allow access to users with a specific role and matching user ID parameter.
    Combine role check and parameter check in one expression.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of the @PreAuthorize annotation in Spring Boot?
      easy
      A. To inject dependencies into a method
      B. To log method execution time automatically
      C. To restrict access to methods based on user roles or permissions before execution
      D. To handle exceptions thrown by a method

      Solution

      1. Step 1: Understand the role of @PreAuthorize

        This annotation is used to check if a user has the right role or permission before allowing method execution.

      2. Step 2: Compare with other options

        Logging, dependency injection, and exception handling are unrelated to @PreAuthorize.

      3. Final Answer:

        To restrict access to methods based on user roles or permissions before execution -> Option C

      4. Quick Check:

        Access control = A [OK]
      Hint: Remember: @PreAuthorize controls access before method runs [OK]
      Common Mistakes:
      • Confusing @PreAuthorize with logging or exception handling
      • Thinking it injects dependencies
      • Assuming it runs after method execution
      2. Which of the following is the correct syntax to allow only users with role 'ADMIN' to access a method using @PreAuthorize?
      easy
      A. @PreAuthorize("denyAll()")
      B. @PreAuthorize("hasRole('ADMIN')")
      C. @PreAuthorize("permitAll()")
      D. @PreAuthorize("hasAuthority('USER')")

      Solution

      1. Step 1: Identify the correct expression for role checking

        The expression hasRole('ADMIN') checks if the user has the 'ADMIN' role.

      2. Step 2: Verify other options

        hasAuthority('USER') checks for a different role, permitAll() allows everyone, and denyAll() denies everyone.

      3. Final Answer:

        @PreAuthorize("hasRole('ADMIN')") -> Option B

      4. Quick Check:

        Role check syntax = D [OK]
      Hint: Use hasRole('ROLE_NAME') to restrict by role [OK]
      Common Mistakes:
      • Using wrong role name or authority
      • Confusing hasRole with hasAuthority
      • Using permitAll() when restriction is needed
      3. Given the method below, what will happen if a user with role 'USER' calls it?
      @PreAuthorize("hasRole('ADMIN')")
public String adminOnly() {
    return "Welcome Admin";
}
      medium
      A. Access denied error is thrown before method runs
      B. The method executes and returns 'Welcome Admin'
      C. The method executes but returns null
      D. The method executes and returns 'Welcome User'

      Solution

      1. Step 1: Understand the role restriction

        The method requires the user to have 'ADMIN' role to run.

      2. Step 2: Check user role and effect

        User has 'USER' role, not 'ADMIN', so access is denied before method runs.

      3. Final Answer:

        Access denied error is thrown before method runs -> Option A

      4. Quick Check:

        Role mismatch causes denial = A [OK]
      Hint: If role missing, @PreAuthorize blocks method [OK]
      Common Mistakes:
      • Assuming method runs anyway
      • Thinking it returns null instead of error
      • Confusing roles 'USER' and 'ADMIN'
      4. Identify the error in this usage of @PreAuthorize:
      @PreAuthorize("hasRole(ADMIN)")
public void secureMethod() { }
      medium
      A. Annotation should be @PostAuthorize instead
      B. Method must return a value to use @PreAuthorize
      C. No error, syntax is correct
      D. Missing quotes around 'ADMIN' in hasRole expression

      Solution

      1. Step 1: Check syntax of hasRole expression

        The role name must be a string inside quotes: hasRole('ADMIN').

      2. Step 2: Verify other options

        Return type is not required, @PreAuthorize is correct annotation, so no other errors.

      3. Final Answer:

        Missing quotes around 'ADMIN' in hasRole expression -> Option D

      4. Quick Check:

        Role names need quotes = C [OK]
      Hint: Always put role names in quotes inside hasRole() [OK]
      Common Mistakes:
      • Omitting quotes around role names
      • Confusing @PreAuthorize with @PostAuthorize
      • Thinking method must return a value
      5. How would you use @PreAuthorize to allow access only if the user has either 'ADMIN' role or 'MANAGER' authority?
      hard
      A. @PreAuthorize("hasRole('ADMIN') or hasAuthority('MANAGER')")
      B. @PreAuthorize("hasRole('ADMIN') and hasAuthority('MANAGER')")
      C. @PreAuthorize("hasRole('ADMIN')") @PreAuthorize("hasAuthority('MANAGER')")
      D. @PreAuthorize("permitAll()")

      Solution

      1. Step 1: Understand logical operators in @PreAuthorize

        Use or to allow access if either condition is true.

      2. Step 2: Analyze options

        @PreAuthorize("hasRole('ADMIN') or hasAuthority('MANAGER')") uses or correctly; @PreAuthorize("hasRole('ADMIN') and hasAuthority('MANAGER')") requires both roles which is stricter; @PreAuthorize("hasRole('ADMIN')") @PreAuthorize("hasAuthority('MANAGER')") is invalid to use two annotations; @PreAuthorize("permitAll()") allows everyone.

      3. Final Answer:

        @PreAuthorize("hasRole('ADMIN') or hasAuthority('MANAGER')") -> Option A

      4. Quick Check:

        Use 'or' for either role or authority = B [OK]
      Hint: Combine roles with 'or' inside one @PreAuthorize [OK]
      Common Mistakes:
      • Using 'and' instead of 'or' when either role suffices
      • Trying to stack multiple @PreAuthorize annotations
      • Using permitAll() which allows everyone