Concept Flow - @PreAuthorize annotation
Method call request
Check @PreAuthorize expression
Allow method
Return result
When a method is called, Spring checks the @PreAuthorize expression. If true, it runs the method; if false, it blocks access.
0
0
@PreAuthorize annotation in Spring Boot - Step-by-Step Execution
Execution Sample
Spring Boot
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser() {
// delete logic
}This code allows only users with ADMIN role to run deleteUser method.
Execution Table
| Step | Action | Expression Evaluated | Result | Method Access |
|---|---|---|---|---|
| 1 | User calls deleteUser() | hasRole('ADMIN') | true | Allowed |
| 2 | Method deleteUser() runs | - | - | User deleted |
| 3 | User calls deleteUser() | hasRole('ADMIN') | false | Denied |
| 4 | Access denied exception thrown | - | - | Access denied |
💡 Execution stops when access is denied or method completes.
Variable Tracker
| Variable | Start | After Step 1 | After Step 3 | Final |
|---|---|---|---|---|
| UserRole | unknown | ADMIN | USER | unchanged |
| AccessGranted | false | true | false | depends on role |
Key Moments - 2 Insights
Why does the method not run when the user role is not ADMIN?
Because at Step 3 in execution_table, the expression hasRole('ADMIN') evaluates to false, so access is denied before method runs.
What happens if the @PreAuthorize expression is true?
At Step 1, if the expression is true, the method runs normally as shown in Step 2.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the method access result at Step 3?
💡 Hint
Check the 'Method Access' column at Step 3 in execution_table.
At which step does the method actually execute?
💡 Hint
Look for 'Method deleteUser() runs' in the Action column.
If the user role changes from USER to ADMIN, how does AccessGranted change in variable_tracker?
💡 Hint
Compare AccessGranted values after Step 1 and Step 3 in variable_tracker.
Concept Snapshot
@PreAuthorize("expression")
- Checks security before method runs
- Expression uses roles or permissions
- If true, method runs
- If false, access denied exception
- Used for method-level security in SpringFull Transcript
The @PreAuthorize annotation in Spring Boot checks a security expression before a method runs. When a method is called, Spring evaluates the expression inside @PreAuthorize. If the expression returns true, the method executes normally. If false, Spring blocks access and throws an exception. For example, @PreAuthorize("hasRole('ADMIN')") allows only users with ADMIN role to run the method. The execution table shows steps where the expression is checked and access is granted or denied. Variables like UserRole and AccessGranted track the user's role and whether access is allowed. This helps secure methods by role or permission checks before running sensitive code.