0
0
Spring Bootframework~10 mins

@Secured annotation in Spring Boot - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - @Secured annotation
Method call
Check @Secured roles
User roles match?
NoAccess Denied
Yes
Execute method
Return result
When a method with @Secured is called, Spring checks if the user has the required role(s). If yes, the method runs; if not, access is denied.
Execution Sample
Spring Boot
@Secured("ROLE_ADMIN")
public void adminTask() {
  // admin-only logic
}
This method runs only if the user has the ROLE_ADMIN authority.
Execution Table
StepActionUser RolesRequired RolesAccess DecisionMethod Execution
1Call adminTask()[ROLE_USER][ROLE_ADMIN]DeniedNo
2Call adminTask()[ROLE_ADMIN][ROLE_ADMIN]AllowedYes
💡 Access denied when user roles do not include required ROLE_ADMIN
Variable Tracker
VariableStartAfter Step 1After Step 2
User Roles[ROLE_USER][ROLE_USER][ROLE_ADMIN]
Access DecisionN/ADeniedAllowed
Method ExecutionN/ANoYes
Key Moments - 2 Insights
Why does the method not run when the user has ROLE_USER but not ROLE_ADMIN?
Because @Secured requires the user to have ROLE_ADMIN. The execution_table row 1 shows access is denied when roles don't match.
Can the method run if the user has multiple roles including ROLE_ADMIN?
Yes, as long as ROLE_ADMIN is present, access is allowed. The check looks for required roles, not exclusive roles.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the Access Decision at Step 1?
AAllowed
BDenied
CPending
DError
💡 Hint
Check the Access Decision column for Step 1 in the execution_table.
At which step does the method actually execute?
AStep 1
BBoth steps
CStep 2
DNeither step
💡 Hint
Look at the Method Execution column in the execution_table.
If the user roles changed to [ROLE_ADMIN, ROLE_USER], what would happen at Step 1?
AAccess Allowed
BAccess Denied
CError due to multiple roles
DMethod skipped
💡 Hint
The key_moments explain that having ROLE_ADMIN among roles allows access.
Concept Snapshot
@Secured annotation restricts method access by roles.
Place @Secured("ROLE_NAME") above methods.
Spring checks if user has required role before running method.
If user lacks role, access is denied and method is not executed.
Supports multiple roles; user must have at least one required role.
Full Transcript
The @Secured annotation in Spring Boot is used to protect methods by specifying required user roles. When a method annotated with @Secured is called, Spring checks the current user's roles. If the user has the required role, the method runs normally. If not, access is denied and the method does not execute. For example, a method annotated with @Secured("ROLE_ADMIN") will only run if the user has the ROLE_ADMIN authority. The execution table shows two calls: one with a user having ROLE_USER only, which is denied, and one with ROLE_ADMIN, which is allowed. This helps secure sensitive parts of an application by role-based access control.