Bird
Raised Fist0
Spring Bootframework~5 mins

@Secured annotation in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of the @Secured annotation in Spring Boot?
The @Secured annotation is used to specify security roles that are allowed to access a method or class. It restricts access based on user roles.
Click to reveal answer
beginner
How do you specify multiple roles with @Secured?
You provide an array of role names inside @Secured, like @Secured({"ROLE_ADMIN", "ROLE_USER"}). The method is accessible if the user has any one of these roles.
Click to reveal answer
beginner
Where can you place the @Secured annotation in your code?
You can place @Secured on methods or on classes. When placed on a class, it applies to all methods inside that class.
Click to reveal answer
intermediate
What must be enabled in Spring Security configuration to use @Secured annotations?
You must enable method security by adding @EnableMethodSecurity(securedEnabled = true) in your configuration class.
Click to reveal answer
intermediate
What happens if a user without the required role tries to access a method annotated with @Secured?
Spring Security will deny access and throw an AccessDeniedException, usually resulting in a 403 Forbidden HTTP response.
Click to reveal answer
What does @Secured({"ROLE_ADMIN"}) mean?
AOnly users with ROLE_ADMIN can access the method
BAll users can access the method
CUsers with any role can access the method
DIt disables security for the method
Where do you enable support for @Secured annotations in Spring Boot?
AIn the controller class only
BIn the application.properties file
CNo configuration needed
DIn the main application class with <code>@EnableMethodSecurity(securedEnabled = true)</code>
If @Secured is placed on a class, what happens?
AIt applies only to methods with <code>@RequestMapping</code>
BIt applies to all methods in the class
CIt applies only to the constructor
DIt has no effect
Can @Secured accept multiple roles?
AYes, but only comma-separated string
BNo, only one role is allowed
CYes, as an array of role names
DNo, roles are defined elsewhere
What exception is thrown if access is denied by @Secured?
AAccessDeniedException
BNullPointerException
CIllegalArgumentException
DAuthenticationException
Explain how the @Secured annotation controls access in a Spring Boot application.
Think about who can use the method and what happens if they can't.
You got /4 concepts.
    Describe the steps to secure a method using @Secured in Spring Boot.
    Consider configuration and annotation placement.
    You got /4 concepts.

      Practice

      (1/5)
      1.

      What is the main purpose of the @Secured annotation in Spring Boot?

      easy
      A. To restrict access to methods based on user roles
      B. To define database entity relationships
      C. To configure application properties
      D. To handle HTTP request mappings

      Solution

      1. Step 1: Understand the role of @Secured

        The @Secured annotation is used to limit method access to users with specific roles.

      2. Step 2: Compare with other options

        Other options relate to different Spring features like database or HTTP handling, not security roles.

      3. Final Answer:

        To restrict access to methods based on user roles -> Option A

      4. Quick Check:

        @Secured controls method access by roles [OK]
      Hint: Remember: @Secured controls who can run a method [OK]
      Common Mistakes:
      • Confusing @Secured with @RequestMapping
      • Thinking @Secured configures database
      • Assuming @Secured manages app properties
      2.

      Which of the following is the correct way to use @Secured to allow only users with role ADMIN to access a method?

      @Secured({"?"})
public void adminMethod() { }
      easy
      A. ROLE_ADMIN
      B. ADMIN
      C. ROLE-ADMIN
      D. ROLE_ADMINISTRATOR

      Solution

      1. Step 1: Recall role naming convention

        Spring Security requires roles to be prefixed with ROLE_, so ROLE_ADMIN is correct.

      2. Step 2: Check other options

        ADMIN without prefix is invalid; ROLE-ADMIN uses wrong separator; ROLE_ADMINISTRATOR is a different role.

      3. Final Answer:

        ROLE_ADMIN -> Option A

      4. Quick Check:

        Roles need ROLE_ prefix [OK]
      Hint: Always prefix roles with ROLE_ inside @Secured [OK]
      Common Mistakes:
      • Omitting ROLE_ prefix
      • Using dash (-) instead of underscore (_)
      • Using wrong role names
      3.

      Given this method secured with @Secured({"ROLE_USER", "ROLE_ADMIN"}), what happens if a user with role ROLE_GUEST calls it?

      @Secured({"ROLE_USER", "ROLE_ADMIN"})
public String getData() {
    return "Secret Data";
}
      medium
      A. The method executes and returns "Secret Data"
      B. The method executes but returns empty string
      C. The method returns null
      D. Access denied error is thrown

      Solution

      1. Step 1: Understand role checking with @Secured

        The annotation allows only users with roles ROLE_USER or ROLE_ADMIN.

      2. Step 2: Check user role

        User has ROLE_GUEST, which is not allowed, so access is denied.

      3. Final Answer:

        Access denied error is thrown -> Option D

      4. Quick Check:

        User role mismatch causes denial [OK]
      Hint: Only listed roles can access; others get denied [OK]
      Common Mistakes:
      • Assuming method runs for any role
      • Thinking method returns null on denial
      • Confusing role names
      4.

      Identify the error in this usage of @Secured:

      @Secured("ROLE_ADMIN")
public void adminTask() { }
      medium
      A. Role name should not have ROLE_ prefix
      B. Missing curly braces around roles array
      C. Method must return a value
      D. Annotation should be @RolesAllowed instead

      Solution

      1. Step 1: Check @Secured syntax

        @Secured expects an array of roles, so roles must be inside curly braces {}.

      2. Step 2: Analyze given code

        Here, roles are given as a single string without braces, causing syntax error.

      3. Final Answer:

        Missing curly braces around roles array -> Option B

      4. Quick Check:

        @Secured requires roles in braces [OK]
      Hint: Always use braces {} for roles in @Secured [OK]
      Common Mistakes:
      • Omitting braces for single role
      • Removing ROLE_ prefix
      • Confusing @Secured with @RolesAllowed
      5.

      You want to secure two methods: one accessible only by ROLE_ADMIN, and another accessible by either ROLE_USER or ROLE_MANAGER. Which is the correct way to annotate these methods?

      Method 1:
@Secured({"?"})
public void adminOnly() { }

Method 2:
@Secured({"?"})
public void userOrManager() { }
      hard
      A. {"ROLE_ADMIN"} and {"ROLE_USER|ROLE_MANAGER"}
      B. {"ADMIN"} and {"USER", "MANAGER"}
      C. {"ROLE_ADMIN"} and {"ROLE_USER", "ROLE_MANAGER"}
      D. {"ROLE_ADMIN", "ROLE_USER"} and {"ROLE_MANAGER"}

      Solution

      1. Step 1: Secure Method 1 for ROLE_ADMIN only

        Use @Secured({"ROLE_ADMIN"}) to restrict access to admins.

      2. Step 2: Secure Method 2 for ROLE_USER or ROLE_MANAGER

        Use @Secured({"ROLE_USER", "ROLE_MANAGER"}) to allow either role.

      3. Final Answer:

        {"ROLE_ADMIN"} and {"ROLE_USER", "ROLE_MANAGER"} -> Option C

      4. Quick Check:

        Use arrays with ROLE_ prefix for multiple roles [OK]
      Hint: Use arrays with ROLE_ prefix for each method [OK]
      Common Mistakes:
      • Omitting ROLE_ prefix
      • Using pipe '|' inside role strings
      • Mixing roles in one annotation incorrectly