0
0
Spring Bootframework~20 mins

Role-based access control in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Role-based Access Control Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when accessing a secured endpoint without the required role?

Consider a Spring Boot REST controller method secured with @PreAuthorize("hasRole('ADMIN')"). What happens if a user without the ADMIN role tries to access this endpoint?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class AdminController {
    @GetMapping("/admin/data")
    @PreAuthorize("hasRole('ADMIN')")
    public String getAdminData() {
        return "Sensitive admin data";
    }
}
AThe user receives HTTP 403 Forbidden error.
BThe user receives HTTP 401 Unauthorized error.
CThe user receives HTTP 404 Not Found error.
DThe user receives the string "Sensitive admin data".
Attempts:
2 left
💡 Hint

Think about what HTTP status code means 'access denied' due to insufficient permissions.

📝 Syntax
intermediate
2:00remaining
Which annotation correctly restricts access to users with role USER or ADMIN?

In Spring Security, which @PreAuthorize expression correctly allows access only to users with role USER or ADMIN?

A@PreAuthorize("hasRole('USER') or hasRole('ADMIN')")
B@PreAuthorize("hasRole('USER') and hasRole('ADMIN')")
C@PreAuthorize("hasRole('USER', 'ADMIN')")
D@PreAuthorize("hasAnyRole('USER', 'ADMIN')")
Attempts:
2 left
💡 Hint

Look for the expression that checks for multiple roles in one call.

state_output
advanced
2:00remaining
What is the role of SecurityContextHolder in Spring Security?

After a user logs in, Spring Security stores authentication details. What does SecurityContextHolder.getContext().getAuthentication() return?

AAn Authentication object containing the user's principal, credentials, and granted authorities.
BA boolean indicating if the user is authenticated.
CThe user's password in plain text.
DA list of all users currently logged in.
Attempts:
2 left
💡 Hint

Think about what information Spring Security keeps about the current user.

🔧 Debug
advanced
2:00remaining
Why does this method allow access to all users despite @PreAuthorize annotation?

Given the following Spring Boot controller method, why does it allow access to users without the ADMIN role?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class SampleController {
    @GetMapping("/secure-data")
    @PreAuthorize("hasRole('ADMIN')")
    public String getData() {
        return "Secure Data";
    }
}
AThe @PreAuthorize annotation is misspelled.
BThe user actually has the ADMIN role but it is not visible.
CMethod security is not enabled in the Spring Boot application.
DThe endpoint URL is incorrect.
Attempts:
2 left
💡 Hint

Check if method security annotations are activated in the configuration.

🧠 Conceptual
expert
3:00remaining
How does Spring Security differentiate roles internally when using hasRole vs hasAuthority?

In Spring Security, what is the key difference between hasRole('ADMIN') and hasAuthority('ADMIN') in access control expressions?

A<code>hasAuthority</code> automatically prefixes the role name with 'ROLE_', while <code>hasRole</code> checks the exact authority string.
B<code>hasRole</code> automatically prefixes the role name with 'ROLE_', while <code>hasAuthority</code> checks the exact authority string.
CThere is no difference; both check the exact same authority string.
D<code>hasRole</code> checks user permissions, <code>hasAuthority</code> checks user groups.
Attempts:
2 left
💡 Hint

Think about how Spring Security stores roles internally with prefixes.