0
0
Spring Bootframework~20 mins

Securing endpoints by role in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Role Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a user with role USER accesses an endpoint secured for ADMIN only?

Consider a Spring Boot REST controller with an endpoint secured to allow only users with the ADMIN role. A user authenticated with only the USER role tries to access this endpoint.

What will be the result?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class SampleController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin/data")
    public String getAdminData() {
        return "Sensitive admin data";
    }
}
AThe user receives HTTP 403 Forbidden error because they lack ADMIN role.
BThe user receives HTTP 401 Unauthorized error because they are not authenticated.
CThe user successfully accesses the endpoint and sees the data.
DThe user is redirected to the login page automatically.
Attempts:
2 left
💡 Hint

Think about what Spring Security does when a user is authenticated but lacks the required role.

📝 Syntax
intermediate
2:00remaining
Which @PreAuthorize expression correctly restricts access to users with either ADMIN or MANAGER role?

Given a Spring Boot method, which of the following @PreAuthorize annotations correctly allows access only to users with role ADMIN or MANAGER?

A@PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')")
B@PreAuthorize("hasRole('ADMIN') or hasRole('MANAGER')")
C@PreAuthorize("hasRole('ADMIN', 'MANAGER')")
D@PreAuthorize("hasRole('ADMIN') && hasRole('MANAGER')")
Attempts:
2 left
💡 Hint

Look for the annotation that checks if the user has any one of multiple roles.

🔧 Debug
advanced
2:00remaining
Why does this secured endpoint allow access to users without the required role?

Review the following Spring Boot controller code. Despite the @PreAuthorize annotation, users without the ADMIN role can access the endpoint. What is the most likely cause?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class DebugController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/secure-data")
    public String secureData() {
        return "Top secret";
    }
}
AThe endpoint URL is not mapped correctly.
BThe user is authenticated with ADMIN role but the role prefix is missing.
CMethod security is not enabled in the Spring Security configuration.
DThe @PreAuthorize annotation is placed on the wrong method.
Attempts:
2 left
💡 Hint

Check if method-level security is activated in the application.

state_output
advanced
2:00remaining
What is the output when accessing a role-secured endpoint with a user having multiple roles?

Given a Spring Boot endpoint secured with @PreAuthorize("hasRole('ADMIN')"), what will be the output if a user authenticated with roles USER and ADMIN accesses it?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class MultiRoleController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin-area")
    public String adminArea() {
        return "Welcome Admin";
    }
}
AThe user receives HTTP 401 Unauthorized because USER role is not enough.
BThe user receives HTTP 403 Forbidden because multiple roles cause conflict.
CThe user receives an error due to ambiguous roles.
DThe user receives "Welcome Admin" because they have the ADMIN role.
Attempts:
2 left
💡 Hint

Think about how Spring Security checks roles when multiple roles are present.

🧠 Conceptual
expert
2:00remaining
Which statement best describes the role prefix behavior in Spring Security's hasRole method?

In Spring Security, the hasRole('ROLE_NAME') method is used to check user roles. Which of the following statements about role prefixes is correct?

ASpring Security does not use any prefix for roles by default.
BThe hasRole method automatically adds the prefix "ROLE_" to the role name before checking.
CThe hasRole method requires the full role name including "ROLE_" prefix to be passed explicitly.
DThe role prefix can only be changed by modifying the user details service.
Attempts:
2 left
💡 Hint

Consider the default behavior of Spring Security regarding role names.