Bird
Raised Fist0
Spring Bootframework~5 mins

Securing endpoints by role in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of securing endpoints by role in Spring Boot?
It restricts access to certain parts of an application based on the user's assigned roles, ensuring only authorized users can perform specific actions.
Click to reveal answer
beginner
Which annotation is commonly used in Spring Boot to specify role-based access on methods or endpoints?
The @PreAuthorize annotation is used to define role-based access rules on methods or endpoints.
Click to reveal answer
intermediate
How do you configure role-based access for HTTP endpoints in Spring Security?
You configure it in the SecurityFilterChain bean using authorizeHttpRequests() with matchers and hasRole() or hasAuthority() methods.
Click to reveal answer
intermediate
What is the difference between hasRole('ADMIN') and hasAuthority('ROLE_ADMIN') in Spring Security?
hasRole('ADMIN') automatically adds the prefix ROLE_, so it checks for ROLE_ADMIN. hasAuthority('ROLE_ADMIN') checks the exact authority string without adding a prefix.
Click to reveal answer
beginner
Why is it important to use role-based security instead of just authentication?
Authentication confirms who the user is, but role-based security controls what the user is allowed to do, protecting sensitive actions and data.
Click to reveal answer
Which Spring Security annotation restricts access to a method based on user roles?
A@RequestMapping
B@Autowired
C@PreAuthorize
D@Component
In Spring Security, what prefix does hasRole('USER') automatically add when checking authorities?
AROLE-
BROLE_
CAUTH_
DUSER_
Where do you typically configure HTTP endpoint security rules in Spring Boot?
AIn a SecurityFilterChain bean
BIn the main application class
CIn the Controller class
DIn the application.properties file
What happens if a user without the required role tries to access a secured endpoint?
AAccess is granted anyway
BUser is redirected to the homepage
CUser is automatically logged out
DAccess is denied with a 403 Forbidden response
Which method is used to specify role requirements for HTTP requests in Spring Security?
AauthorizeHttpRequests()
BconfigureHttp()
CsetRoles()
DenableSecurity()
Explain how to secure a REST endpoint in Spring Boot so only users with the ADMIN role can access it.
Think about configuring HTTP security with role checks.
You got /4 concepts.
    Describe the difference between authentication and role-based authorization in Spring Security.
    Consider what each step confirms about the user.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of using @PreAuthorize in a Spring Boot application?
      easy
      A. To log user activities
      B. To format the response data
      C. To handle database transactions
      D. To restrict access to methods based on user roles

      Solution

      1. Step 1: Understand the role of @PreAuthorize

        @PreAuthorize is an annotation used to secure methods by specifying access rules based on user roles or permissions.

      2. Step 2: Identify its main function

        It restricts method access so only users with certain roles can execute them, enhancing security.

      3. Final Answer:

        To restrict access to methods based on user roles -> Option D

      4. Quick Check:

        @PreAuthorize controls access by roles [OK]
      Hint: Remember @PreAuthorize controls method access by roles [OK]
      Common Mistakes:
      • Confusing @PreAuthorize with logging or formatting annotations
      • Thinking it manages database transactions
      • Assuming it handles response data formatting
      2. Which of the following is the correct syntax to restrict access to a method only to users with the role 'ADMIN' using @PreAuthorize?
      easy
      A. @PreAuthorize("hasRole('ADMIN')")
      B. @PreAuthorize("hasRole('USER')")
      C. @PreAuthorize("permitAll()")
      D. @PreAuthorize("denyAll()")

      Solution

      1. Step 1: Understand the hasRole syntax

        The hasRole('ROLE_NAME') expression inside @PreAuthorize restricts access to users with that role.

      2. Step 2: Match the role 'ADMIN'

        To restrict to 'ADMIN', use hasRole('ADMIN'). Other options either allow all or restrict to different roles.

      3. Final Answer:

        @PreAuthorize("hasRole('ADMIN')") -> Option A

      4. Quick Check:

        Correct role syntax = @PreAuthorize("hasRole('ADMIN')") [OK]
      Hint: Use hasRole('ROLE_NAME') exactly for role checks [OK]
      Common Mistakes:
      • Using wrong role names like 'USER' instead of 'ADMIN'
      • Using permitAll or denyAll when restricting by role
      • Incorrect syntax like missing quotes
      3. Given the following method in a Spring Boot controller:
      @PreAuthorize("hasRole('MANAGER')")
public String getManagerData() {
    return "Manager Info";
}

      What will happen if a user with role 'EMPLOYEE' tries to access getManagerData()?
      medium
      A. Access is denied and an error is thrown
      B. The method returns "Manager Info"
      C. The method returns null
      D. The method executes but returns an empty string

      Solution

      1. Step 1: Check the role restriction

        The method is restricted to users with role 'MANAGER' only.

      2. Step 2: Analyze access for 'EMPLOYEE' role

        A user with role 'EMPLOYEE' does not meet the role requirement, so access is denied by Spring Security.

      3. Final Answer:

        Access is denied and an error is thrown -> Option A

      4. Quick Check:

        Role mismatch causes access denial [OK]
      Hint: Access denied if user role doesn't match @PreAuthorize role [OK]
      Common Mistakes:
      • Assuming method returns data regardless of role
      • Thinking method returns null or empty string on denial
      • Ignoring Spring Security's access control
      4. Consider this Spring Boot method:
      @PreAuthorize("hasRole('ADMIN')")
public String adminPanel() {
    return "Welcome Admin";
}

      Which of the following is a common mistake that will cause this security annotation to fail?
      medium
      A. Returning a String instead of void
      B. Using hasRole('admin') with lowercase role name
      C. Placing @PreAuthorize above the method
      D. Not importing org.springframework.security.access.prepost.PreAuthorize

      Solution

      1. Step 1: Check role name case sensitivity

        Spring Security roles are case sensitive. Using lowercase 'admin' instead of 'ADMIN' causes the check to fail.

      2. Step 2: Verify other options

        @PreAuthorize must be above the method, returning String is valid, and missing import causes compile error but not security failure.

      3. Final Answer:

        Using hasRole('admin') with lowercase role name -> Option B

      4. Quick Check:

        Role names are case sensitive [OK]
      Hint: Role names must match case exactly in hasRole() [OK]
      Common Mistakes:
      • Using lowercase role names
      • Ignoring import statements causing compile errors
      • Misplacing @PreAuthorize annotation
      5. You want to secure two endpoints in your Spring Boot app: one accessible only by users with role 'USER', and another accessible only by users with role 'ADMIN'. Which is the best way to implement this using @PreAuthorize?
      hard
      A. Use @PreAuthorize("hasRole('USER') or hasRole('ADMIN')") on both methods
      B. Use @PreAuthorize("hasAnyRole('USER', 'ADMIN')") on both methods
      C. Use @PreAuthorize("hasRole('USER')") on the user method and @PreAuthorize("hasRole('ADMIN')") on the admin method
      D. Use @PreAuthorize("permitAll()") on both methods and check roles inside method

      Solution

      1. Step 1: Understand role-specific access

        Each endpoint should restrict access to its specific role only, not both roles together.

      2. Step 2: Apply correct @PreAuthorize annotations

        Use @PreAuthorize("hasRole('USER')") on the user endpoint and @PreAuthorize("hasRole('ADMIN')") on the admin endpoint to enforce separate access.

      3. Final Answer:

        Use @PreAuthorize("hasRole('USER')") on the user method and @PreAuthorize("hasRole('ADMIN')") on the admin method -> Option C

      4. Quick Check:

        Separate roles need separate @PreAuthorize rules [OK]
      Hint: Assign each method its specific role in @PreAuthorize [OK]
      Common Mistakes:
      • Using combined roles on both methods allowing wrong access
      • Using permitAll and checking roles manually inside methods
      • Using hasAnyRole on both methods ignoring role separation