Bird
Raised Fist0
Spring Bootframework~20 mins

Securing endpoints by role in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Role Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a user with role USER accesses an endpoint secured for ADMIN only?

Consider a Spring Boot REST controller with an endpoint secured to allow only users with the ADMIN role. A user authenticated with only the USER role tries to access this endpoint.

What will be the result?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class SampleController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin/data")
    public String getAdminData() {
        return "Sensitive admin data";
    }
}
AThe user receives HTTP 403 Forbidden error because they lack ADMIN role.
BThe user receives HTTP 401 Unauthorized error because they are not authenticated.
CThe user successfully accesses the endpoint and sees the data.
DThe user is redirected to the login page automatically.
Attempts:
2 left
💡 Hint

Think about what Spring Security does when a user is authenticated but lacks the required role.

📝 Syntax
intermediate
2:00remaining
Which @PreAuthorize expression correctly restricts access to users with either ADMIN or MANAGER role?

Given a Spring Boot method, which of the following @PreAuthorize annotations correctly allows access only to users with role ADMIN or MANAGER?

A@PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')")
B@PreAuthorize("hasRole('ADMIN') or hasRole('MANAGER')")
C@PreAuthorize("hasRole('ADMIN', 'MANAGER')")
D@PreAuthorize("hasRole('ADMIN') && hasRole('MANAGER')")
Attempts:
2 left
💡 Hint

Look for the annotation that checks if the user has any one of multiple roles.

🔧 Debug
advanced
2:00remaining
Why does this secured endpoint allow access to users without the required role?

Review the following Spring Boot controller code. Despite the @PreAuthorize annotation, users without the ADMIN role can access the endpoint. What is the most likely cause?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class DebugController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/secure-data")
    public String secureData() {
        return "Top secret";
    }
}
AThe endpoint URL is not mapped correctly.
BThe user is authenticated with ADMIN role but the role prefix is missing.
CMethod security is not enabled in the Spring Security configuration.
DThe @PreAuthorize annotation is placed on the wrong method.
Attempts:
2 left
💡 Hint

Check if method-level security is activated in the application.

state_output
advanced
2:00remaining
What is the output when accessing a role-secured endpoint with a user having multiple roles?

Given a Spring Boot endpoint secured with @PreAuthorize("hasRole('ADMIN')"), what will be the output if a user authenticated with roles USER and ADMIN accesses it?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class MultiRoleController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin-area")
    public String adminArea() {
        return "Welcome Admin";
    }
}
AThe user receives HTTP 401 Unauthorized because USER role is not enough.
BThe user receives HTTP 403 Forbidden because multiple roles cause conflict.
CThe user receives an error due to ambiguous roles.
DThe user receives "Welcome Admin" because they have the ADMIN role.
Attempts:
2 left
💡 Hint

Think about how Spring Security checks roles when multiple roles are present.

🧠 Conceptual
expert
2:00remaining
Which statement best describes the role prefix behavior in Spring Security's hasRole method?

In Spring Security, the hasRole('ROLE_NAME') method is used to check user roles. Which of the following statements about role prefixes is correct?

ASpring Security does not use any prefix for roles by default.
BThe hasRole method automatically adds the prefix "ROLE_" to the role name before checking.
CThe hasRole method requires the full role name including "ROLE_" prefix to be passed explicitly.
DThe role prefix can only be changed by modifying the user details service.
Attempts:
2 left
💡 Hint

Consider the default behavior of Spring Security regarding role names.

Practice

(1/5)
1. What is the primary purpose of using @PreAuthorize in a Spring Boot application?
easy
A. To log user activities
B. To format the response data
C. To handle database transactions
D. To restrict access to methods based on user roles

Solution

  1. Step 1: Understand the role of @PreAuthorize

    @PreAuthorize is an annotation used to secure methods by specifying access rules based on user roles or permissions.

  2. Step 2: Identify its main function

    It restricts method access so only users with certain roles can execute them, enhancing security.

  3. Final Answer:

    To restrict access to methods based on user roles -> Option D

  4. Quick Check:

    @PreAuthorize controls access by roles [OK]
Hint: Remember @PreAuthorize controls method access by roles [OK]
Common Mistakes:
  • Confusing @PreAuthorize with logging or formatting annotations
  • Thinking it manages database transactions
  • Assuming it handles response data formatting
2. Which of the following is the correct syntax to restrict access to a method only to users with the role 'ADMIN' using @PreAuthorize?
easy
A. @PreAuthorize("hasRole('ADMIN')")
B. @PreAuthorize("hasRole('USER')")
C. @PreAuthorize("permitAll()")
D. @PreAuthorize("denyAll()")

Solution

  1. Step 1: Understand the hasRole syntax

    The hasRole('ROLE_NAME') expression inside @PreAuthorize restricts access to users with that role.

  2. Step 2: Match the role 'ADMIN'

    To restrict to 'ADMIN', use hasRole('ADMIN'). Other options either allow all or restrict to different roles.

  3. Final Answer:

    @PreAuthorize("hasRole('ADMIN')") -> Option A

  4. Quick Check:

    Correct role syntax = @PreAuthorize("hasRole('ADMIN')") [OK]
Hint: Use hasRole('ROLE_NAME') exactly for role checks [OK]
Common Mistakes:
  • Using wrong role names like 'USER' instead of 'ADMIN'
  • Using permitAll or denyAll when restricting by role
  • Incorrect syntax like missing quotes
3. Given the following method in a Spring Boot controller:
@PreAuthorize("hasRole('MANAGER')")
public String getManagerData() {
    return "Manager Info";
}

What will happen if a user with role 'EMPLOYEE' tries to access getManagerData()?
medium
A. Access is denied and an error is thrown
B. The method returns "Manager Info"
C. The method returns null
D. The method executes but returns an empty string

Solution

  1. Step 1: Check the role restriction

    The method is restricted to users with role 'MANAGER' only.

  2. Step 2: Analyze access for 'EMPLOYEE' role

    A user with role 'EMPLOYEE' does not meet the role requirement, so access is denied by Spring Security.

  3. Final Answer:

    Access is denied and an error is thrown -> Option A

  4. Quick Check:

    Role mismatch causes access denial [OK]
Hint: Access denied if user role doesn't match @PreAuthorize role [OK]
Common Mistakes:
  • Assuming method returns data regardless of role
  • Thinking method returns null or empty string on denial
  • Ignoring Spring Security's access control
4. Consider this Spring Boot method:
@PreAuthorize("hasRole('ADMIN')")
public String adminPanel() {
    return "Welcome Admin";
}

Which of the following is a common mistake that will cause this security annotation to fail?
medium
A. Returning a String instead of void
B. Using hasRole('admin') with lowercase role name
C. Placing @PreAuthorize above the method
D. Not importing org.springframework.security.access.prepost.PreAuthorize

Solution

  1. Step 1: Check role name case sensitivity

    Spring Security roles are case sensitive. Using lowercase 'admin' instead of 'ADMIN' causes the check to fail.

  2. Step 2: Verify other options

    @PreAuthorize must be above the method, returning String is valid, and missing import causes compile error but not security failure.

  3. Final Answer:

    Using hasRole('admin') with lowercase role name -> Option B

  4. Quick Check:

    Role names are case sensitive [OK]
Hint: Role names must match case exactly in hasRole() [OK]
Common Mistakes:
  • Using lowercase role names
  • Ignoring import statements causing compile errors
  • Misplacing @PreAuthorize annotation
5. You want to secure two endpoints in your Spring Boot app: one accessible only by users with role 'USER', and another accessible only by users with role 'ADMIN'. Which is the best way to implement this using @PreAuthorize?
hard
A. Use @PreAuthorize("hasRole('USER') or hasRole('ADMIN')") on both methods
B. Use @PreAuthorize("hasAnyRole('USER', 'ADMIN')") on both methods
C. Use @PreAuthorize("hasRole('USER')") on the user method and @PreAuthorize("hasRole('ADMIN')") on the admin method
D. Use @PreAuthorize("permitAll()") on both methods and check roles inside method

Solution

  1. Step 1: Understand role-specific access

    Each endpoint should restrict access to its specific role only, not both roles together.

  2. Step 2: Apply correct @PreAuthorize annotations

    Use @PreAuthorize("hasRole('USER')") on the user endpoint and @PreAuthorize("hasRole('ADMIN')") on the admin endpoint to enforce separate access.

  3. Final Answer:

    Use @PreAuthorize("hasRole('USER')") on the user method and @PreAuthorize("hasRole('ADMIN')") on the admin method -> Option C

  4. Quick Check:

    Separate roles need separate @PreAuthorize rules [OK]
Hint: Assign each method its specific role in @PreAuthorize [OK]
Common Mistakes:
  • Using combined roles on both methods allowing wrong access
  • Using permitAll and checking roles manually inside methods
  • Using hasAnyRole on both methods ignoring role separation