Bird
Raised Fist0
Spring Bootframework~5 mins

Role-based access control in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Role-based Access Control (RBAC)?
RBAC is a way to control who can do what in an application by assigning roles to users. Each role has specific permissions that allow or deny actions.
Click to reveal answer
beginner
How do you define roles in Spring Boot for RBAC?
Roles are usually defined as strings like 'ROLE_ADMIN' or 'ROLE_USER' and assigned to users. Spring Security uses these roles to check access rights.
Click to reveal answer
intermediate
Which Spring Security annotation is used to restrict access to methods based on roles?
The @PreAuthorize annotation is used to restrict access by specifying role conditions, for example, @PreAuthorize("hasRole('ADMIN')").
Click to reveal answer
intermediate
What is the difference between 'hasRole' and 'hasAuthority' in Spring Security?
'hasRole' checks for roles with a 'ROLE_' prefix automatically added, while 'hasAuthority' checks for exact authority strings without adding prefixes.
Click to reveal answer
intermediate
How can you configure role-based access control in Spring Security's HttpSecurity?
You configure RBAC by specifying URL patterns and the roles allowed to access them using methods like .antMatchers("/admin/**").hasRole("ADMIN").
Click to reveal answer
In Spring Security, what prefix is automatically added when using hasRole('ADMIN')?
AROLE_
BAUTH_
CPERM_
DUSER_
Which annotation restricts method access based on roles in Spring Boot?
A@PreAuthorize
B@GetMapping
C@Autowired
D@Component
What does RBAC stand for?
ARole-based Authentication Code
BResource-based Access Control
CRole-based Access Control
DResource Binding Access Control
How do you specify that only users with ADMIN role can access '/admin/**' URLs in Spring Security?
A.antMatchers("/admin/**").permitAll()
B.antMatchers("/admin/**").authenticated()
C.antMatchers("/admin/**").denyAll()
D.antMatchers("/admin/**").hasRole("ADMIN")
Which of these is NOT a typical role name in Spring Security?
AROLE_USER
BROLE_GUEST_USER
CROLE_MANAGER
DROLE_ADMIN
Explain how role-based access control works in a Spring Boot application.
Think about how you decide who can enter a room based on their badge.
You got /4 concepts.
    Describe how to restrict access to a REST endpoint to only users with the ADMIN role using Spring Security.
    Consider both configuration and annotation ways.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of role-based access control (RBAC) in a Spring Boot application?
      easy
      A. To restrict access to resources based on user roles
      B. To improve application performance by caching data
      C. To automatically generate user interfaces
      D. To handle database transactions efficiently

      Solution

      1. Step 1: Understand RBAC concept

        RBAC limits access to parts of an application depending on the roles assigned to users.

      2. Step 2: Identify the purpose in Spring Boot

        In Spring Boot, RBAC is used to protect resources by checking user roles before allowing access.

      3. Final Answer:

        To restrict access to resources based on user roles -> Option A

      4. Quick Check:

        RBAC controls access by roles = A [OK]
      Hint: RBAC controls who can do what by roles [OK]
      Common Mistakes:
      • Confusing RBAC with performance optimization
      • Thinking RBAC generates UI automatically
      • Mixing RBAC with database transaction handling
      2. Which annotation is used in Spring Boot to enforce role-based access control on a method?
      easy
      A. @PreAuthorize
      B. @Autowired
      C. @RequestMapping
      D. @Entity

      Solution

      1. Step 1: Identify role enforcement annotation

        Spring Security uses @PreAuthorize to check roles before method execution.

      2. Step 2: Differentiate from other annotations

        @RequestMapping handles URL mapping, @Autowired injects beans, @Entity marks database entities.

      3. Final Answer:

        @PreAuthorize -> Option A

      4. Quick Check:

        @PreAuthorize controls access by roles [OK]
      Hint: Use @PreAuthorize to check roles on methods [OK]
      Common Mistakes:
      • Using @RequestMapping for access control
      • Confusing @Autowired with security annotations
      • Mistaking @Entity for access control
      3. Given the method annotation @PreAuthorize("hasRole('ADMIN')"), what will happen if a user with role USER tries to access this method?
      medium
      A. Access is granted because USER is a valid role
      B. Method throws a syntax error
      C. Access is denied because the user lacks ADMIN role
      D. Access is granted only if the user is authenticated

      Solution

      1. Step 1: Understand the @PreAuthorize expression

        The expression requires the user to have the ADMIN role to access the method.

      2. Step 2: Check user role against requirement

        A user with only USER role does not meet the ADMIN role requirement, so access is denied.

      3. Final Answer:

        Access is denied because the user lacks ADMIN role -> Option C

      4. Quick Check:

        Role check fails without ADMIN role = B [OK]
      Hint: User must have exact role in @PreAuthorize to access [OK]
      Common Mistakes:
      • Assuming any authenticated user can access
      • Thinking USER role is enough for ADMIN-only methods
      • Confusing syntax error with access denial
      4. Consider this method in a Spring Boot controller:
      @PreAuthorize("hasRole('ADMIN')")
public String adminPage() {
    return "Welcome Admin";
}

      What is the likely cause if users with ADMIN role still get access denied errors?
      medium
      A. The method must be static to work with @PreAuthorize
      B. The role prefix 'ROLE_' is missing in the role check
      C. The return type should be ResponseEntity<String>
      D. The method should be annotated with @GetMapping instead

      Solution

      1. Step 1: Understand Spring Security role prefix

        Spring Security by default adds 'ROLE_' prefix to roles internally.

      2. Step 2: Check role naming in @PreAuthorize

        Using hasRole('ADMIN') expects the granted authority to be 'ROLE_ADMIN'. If roles lack this prefix, access is denied.

      3. Final Answer:

        The role prefix 'ROLE_' is missing in the role check -> Option B

      4. Quick Check:

        Missing 'ROLE_' prefix causes access denial = D [OK]
      Hint: Remember Spring Security adds 'ROLE_' prefix by default [OK]
      Common Mistakes:
      • Thinking @GetMapping affects access control
      • Believing return type affects security
      • Assuming method must be static for @PreAuthorize
      5. You want to restrict access to a service method so that only users with either ADMIN or MANAGER roles can call it. Which @PreAuthorize expression correctly enforces this?
      hard
      A. @PreAuthorize("hasRole('ADMIN,MANAGER')")
      B. @PreAuthorize("hasRole('ADMIN', 'MANAGER')")
      C. @PreAuthorize("hasRole('ADMIN') and hasRole('MANAGER')")
      D. @PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')")

      Solution

      1. Step 1: Understand role checks for multiple roles

        To allow access if user has either ADMIN or MANAGER, use hasAnyRole('ADMIN', 'MANAGER').

      2. Step 2: Analyze each option

        @PreAuthorize("hasRole('ADMIN') and hasRole('MANAGER')") requires both roles (AND), which is too strict. @PreAuthorize("hasRole('ADMIN', 'MANAGER')") is invalid as hasRole accepts only one role. @PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')") uses hasAnyRole which is concise and correct. @PreAuthorize("hasRole('ADMIN,MANAGER')") is invalid syntax.

      3. Final Answer:

        @PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')") -> Option D

      4. Quick Check:

        Use hasAnyRole for multiple allowed roles = A [OK]
      Hint: Use hasAnyRole for OR conditions on roles [OK]
      Common Mistakes:
      • Using AND instead of OR for multiple roles
      • Passing multiple roles as a single string
      • Not using hasAnyRole for multiple roles