0
0
Spring Bootframework~20 mins

Why authorization matters in Spring Boot - Challenge Your Understanding

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Authorization Mastery in Spring Boot
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Why is authorization important in a Spring Boot application?

Consider a Spring Boot web application that handles user data. Why is authorization a critical part of its security?

AIt ensures users can only access resources and actions they are allowed to, protecting sensitive data.
BIt encrypts user passwords before storing them in the database.
CIt validates the format of user input to prevent errors.
DIt manages the application's database connections efficiently.
Attempts:
2 left
💡 Hint

Think about what happens if anyone could access all parts of the app without restrictions.

component_behavior
intermediate
2:00remaining
What happens when a user without proper role tries to access a secured endpoint?

In a Spring Boot app using Spring Security, if a user without the required role tries to access a protected REST endpoint, what is the expected behavior?

AThe server returns a 403 Forbidden response, denying access.
BThe server redirects the user to the login page.
CThe server allows access but logs a warning.
DThe server crashes with an exception.
Attempts:
2 left
💡 Hint

Think about how Spring Security handles authorization failures for authenticated users.

📝 Syntax
advanced
2:30remaining
Identify the correct way to restrict access to a controller method by role

Which of the following Spring Boot controller method annotations correctly restricts access to users with the role 'ADMIN'?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class AdminController {

    @PreAuthorize("hasRole('ADMIN')")
    public String adminOnly() {
        return "Welcome Admin";
    }
}
A@PreAuthorize("hasRole('USER')")
B@PreAuthorize("hasAuthority('ROLE_ADMIN')")
C@PreAuthorize("hasRole('ADMIN')")
D@PreAuthorize("permitAll()")
Attempts:
2 left
💡 Hint

Remember Spring Security expects roles to be prefixed with 'ROLE_' internally, but the annotation uses 'hasRole' without prefix.

🔧 Debug
advanced
2:30remaining
Why does this Spring Security configuration allow unauthorized access?

Given this Spring Security config snippet, why might unauthorized users still access protected URLs?

Spring Boot
http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin/**").hasRole("ADMIN")
    .anyRequest().permitAll()
  )
  .formLogin();
ABecause requestMatchers is deprecated and ignored.
BBecause anyRequest().permitAll() allows all other URLs without authentication.
CBecause formLogin() disables security filters.
DBecause hasRole("ADMIN") is case-sensitive and should be lowercase.
Attempts:
2 left
💡 Hint

Look at the order and meaning of the authorization rules.

lifecycle
expert
3:00remaining
At what point in the Spring Security filter chain is authorization enforced?

In Spring Security, when during the filter chain processing is authorization (access control) checked?

AAfter the controller processes the request, to verify output security.
BAuthorization is not handled by filters but by database triggers.
CBefore authentication filters, to block unauthenticated requests early.
DAfter authentication filters have successfully authenticated the user, before the request reaches the controller.
Attempts:
2 left
💡 Hint

Think about the order: authentication first, then authorization.