Bird
Raised Fist0
Spring Bootframework~10 mins

@PreAuthorize annotation in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - @PreAuthorize annotation
Method call request
Check @PreAuthorize expression
Allow method
Return result
When a method is called, Spring checks the @PreAuthorize expression. If true, it runs the method; if false, it blocks access.
Execution Sample
Spring Boot
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser() {
  // delete logic
}
This code allows only users with ADMIN role to run deleteUser method.
Execution Table
StepActionExpression EvaluatedResultMethod Access
1User calls deleteUser()hasRole('ADMIN')trueAllowed
2Method deleteUser() runs--User deleted
3User calls deleteUser()hasRole('ADMIN')falseDenied
4Access denied exception thrown--Access denied
💡 Execution stops when access is denied or method completes.
Variable Tracker
VariableStartAfter Step 1After Step 3Final
UserRoleunknownADMINUSERunchanged
AccessGrantedfalsetruefalsedepends on role
Key Moments - 2 Insights
Why does the method not run when the user role is not ADMIN?
Because at Step 3 in execution_table, the expression hasRole('ADMIN') evaluates to false, so access is denied before method runs.
What happens if the @PreAuthorize expression is true?
At Step 1, if the expression is true, the method runs normally as shown in Step 2.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the method access result at Step 3?
AAllowed
BDenied
CThrows error after method runs
DMethod runs partially
💡 Hint
Check the 'Method Access' column at Step 3 in execution_table.
At which step does the method actually execute?
AStep 3
BStep 1
CStep 2
DStep 4
💡 Hint
Look for 'Method deleteUser() runs' in the Action column.
If the user role changes from USER to ADMIN, how does AccessGranted change in variable_tracker?
AChanges from false to true
BChanges from true to false
CRemains false
DRemains true
💡 Hint
Compare AccessGranted values after Step 1 and Step 3 in variable_tracker.
Concept Snapshot
@PreAuthorize("expression")
- Checks security before method runs
- Expression uses roles or permissions
- If true, method runs
- If false, access denied exception
- Used for method-level security in Spring
Full Transcript
The @PreAuthorize annotation in Spring Boot checks a security expression before a method runs. When a method is called, Spring evaluates the expression inside @PreAuthorize. If the expression returns true, the method executes normally. If false, Spring blocks access and throws an exception. For example, @PreAuthorize("hasRole('ADMIN')") allows only users with ADMIN role to run the method. The execution table shows steps where the expression is checked and access is granted or denied. Variables like UserRole and AccessGranted track the user's role and whether access is allowed. This helps secure methods by role or permission checks before running sensitive code.

Practice

(1/5)
1. What is the main purpose of the @PreAuthorize annotation in Spring Boot?
easy
A. To inject dependencies into a method
B. To log method execution time automatically
C. To restrict access to methods based on user roles or permissions before execution
D. To handle exceptions thrown by a method

Solution

  1. Step 1: Understand the role of @PreAuthorize

    This annotation is used to check if a user has the right role or permission before allowing method execution.

  2. Step 2: Compare with other options

    Logging, dependency injection, and exception handling are unrelated to @PreAuthorize.

  3. Final Answer:

    To restrict access to methods based on user roles or permissions before execution -> Option C

  4. Quick Check:

    Access control = A [OK]
Hint: Remember: @PreAuthorize controls access before method runs [OK]
Common Mistakes:
  • Confusing @PreAuthorize with logging or exception handling
  • Thinking it injects dependencies
  • Assuming it runs after method execution
2. Which of the following is the correct syntax to allow only users with role 'ADMIN' to access a method using @PreAuthorize?
easy
A. @PreAuthorize("denyAll()")
B. @PreAuthorize("hasRole('ADMIN')")
C. @PreAuthorize("permitAll()")
D. @PreAuthorize("hasAuthority('USER')")

Solution

  1. Step 1: Identify the correct expression for role checking

    The expression hasRole('ADMIN') checks if the user has the 'ADMIN' role.

  2. Step 2: Verify other options

    hasAuthority('USER') checks for a different role, permitAll() allows everyone, and denyAll() denies everyone.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN')") -> Option B

  4. Quick Check:

    Role check syntax = D [OK]
Hint: Use hasRole('ROLE_NAME') to restrict by role [OK]
Common Mistakes:
  • Using wrong role name or authority
  • Confusing hasRole with hasAuthority
  • Using permitAll() when restriction is needed
3. Given the method below, what will happen if a user with role 'USER' calls it?
@PreAuthorize("hasRole('ADMIN')")
public String adminOnly() {
    return "Welcome Admin";
}
medium
A. Access denied error is thrown before method runs
B. The method executes and returns 'Welcome Admin'
C. The method executes but returns null
D. The method executes and returns 'Welcome User'

Solution

  1. Step 1: Understand the role restriction

    The method requires the user to have 'ADMIN' role to run.

  2. Step 2: Check user role and effect

    User has 'USER' role, not 'ADMIN', so access is denied before method runs.

  3. Final Answer:

    Access denied error is thrown before method runs -> Option A

  4. Quick Check:

    Role mismatch causes denial = A [OK]
Hint: If role missing, @PreAuthorize blocks method [OK]
Common Mistakes:
  • Assuming method runs anyway
  • Thinking it returns null instead of error
  • Confusing roles 'USER' and 'ADMIN'
4. Identify the error in this usage of @PreAuthorize:
@PreAuthorize("hasRole(ADMIN)")
public void secureMethod() { }
medium
A. Annotation should be @PostAuthorize instead
B. Method must return a value to use @PreAuthorize
C. No error, syntax is correct
D. Missing quotes around 'ADMIN' in hasRole expression

Solution

  1. Step 1: Check syntax of hasRole expression

    The role name must be a string inside quotes: hasRole('ADMIN').

  2. Step 2: Verify other options

    Return type is not required, @PreAuthorize is correct annotation, so no other errors.

  3. Final Answer:

    Missing quotes around 'ADMIN' in hasRole expression -> Option D

  4. Quick Check:

    Role names need quotes = C [OK]
Hint: Always put role names in quotes inside hasRole() [OK]
Common Mistakes:
  • Omitting quotes around role names
  • Confusing @PreAuthorize with @PostAuthorize
  • Thinking method must return a value
5. How would you use @PreAuthorize to allow access only if the user has either 'ADMIN' role or 'MANAGER' authority?
hard
A. @PreAuthorize("hasRole('ADMIN') or hasAuthority('MANAGER')")
B. @PreAuthorize("hasRole('ADMIN') and hasAuthority('MANAGER')")
C. @PreAuthorize("hasRole('ADMIN')") @PreAuthorize("hasAuthority('MANAGER')")
D. @PreAuthorize("permitAll()")

Solution

  1. Step 1: Understand logical operators in @PreAuthorize

    Use or to allow access if either condition is true.

  2. Step 2: Analyze options

    @PreAuthorize("hasRole('ADMIN') or hasAuthority('MANAGER')") uses or correctly; @PreAuthorize("hasRole('ADMIN') and hasAuthority('MANAGER')") requires both roles which is stricter; @PreAuthorize("hasRole('ADMIN')") @PreAuthorize("hasAuthority('MANAGER')") is invalid to use two annotations; @PreAuthorize("permitAll()") allows everyone.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN') or hasAuthority('MANAGER')") -> Option A

  4. Quick Check:

    Use 'or' for either role or authority = B [OK]
Hint: Combine roles with 'or' inside one @PreAuthorize [OK]
Common Mistakes:
  • Using 'and' instead of 'or' when either role suffices
  • Trying to stack multiple @PreAuthorize annotations
  • Using permitAll() which allows everyone