Bird
Raised Fist0
Spring Bootframework~20 mins

Why authorization matters in Spring Boot - Challenge Your Understanding

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Authorization Mastery in Spring Boot
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Why is authorization important in a Spring Boot application?

Consider a Spring Boot web application that handles user data. Why is authorization a critical part of its security?

AIt ensures users can only access resources and actions they are allowed to, protecting sensitive data.
BIt encrypts user passwords before storing them in the database.
CIt validates the format of user input to prevent errors.
DIt manages the application's database connections efficiently.
Attempts:
2 left
💡 Hint

Think about what happens if anyone could access all parts of the app without restrictions.

component_behavior
intermediate
2:00remaining
What happens when a user without proper role tries to access a secured endpoint?

In a Spring Boot app using Spring Security, if a user without the required role tries to access a protected REST endpoint, what is the expected behavior?

AThe server returns a 403 Forbidden response, denying access.
BThe server redirects the user to the login page.
CThe server allows access but logs a warning.
DThe server crashes with an exception.
Attempts:
2 left
💡 Hint

Think about how Spring Security handles authorization failures for authenticated users.

📝 Syntax
advanced
2:30remaining
Identify the correct way to restrict access to a controller method by role

Which of the following Spring Boot controller method annotations correctly restricts access to users with the role 'ADMIN'?

Spring Boot
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class AdminController {

    @PreAuthorize("hasRole('ADMIN')")
    public String adminOnly() {
        return "Welcome Admin";
    }
}
A@PreAuthorize("hasRole('USER')")
B@PreAuthorize("hasAuthority('ROLE_ADMIN')")
C@PreAuthorize("hasRole('ADMIN')")
D@PreAuthorize("permitAll()")
Attempts:
2 left
💡 Hint

Remember Spring Security expects roles to be prefixed with 'ROLE_' internally, but the annotation uses 'hasRole' without prefix.

🔧 Debug
advanced
2:30remaining
Why does this Spring Security configuration allow unauthorized access?

Given this Spring Security config snippet, why might unauthorized users still access protected URLs?

Spring Boot
http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin/**").hasRole("ADMIN")
    .anyRequest().permitAll()
  )
  .formLogin();
ABecause requestMatchers is deprecated and ignored.
BBecause anyRequest().permitAll() allows all other URLs without authentication.
CBecause formLogin() disables security filters.
DBecause hasRole("ADMIN") is case-sensitive and should be lowercase.
Attempts:
2 left
💡 Hint

Look at the order and meaning of the authorization rules.

lifecycle
expert
3:00remaining
At what point in the Spring Security filter chain is authorization enforced?

In Spring Security, when during the filter chain processing is authorization (access control) checked?

AAfter the controller processes the request, to verify output security.
BAuthorization is not handled by filters but by database triggers.
CBefore authentication filters, to block unauthenticated requests early.
DAfter authentication filters have successfully authenticated the user, before the request reaches the controller.
Attempts:
2 left
💡 Hint

Think about the order: authentication first, then authorization.

Practice

(1/5)
1. Why is authorization important in a Spring Boot application?
easy
A. It controls which users can access specific features or data.
B. It speeds up the application performance.
C. It automatically fixes bugs in the code.
D. It manages database connections.

Solution

  1. Step 1: Understand the role of authorization

    Authorization decides what parts of the app a user can use or see.

  2. Step 2: Compare with other options

    Speed, bug fixing, and database management are unrelated to authorization.

  3. Final Answer:

    It controls which users can access specific features or data. -> Option A

  4. Quick Check:

    Authorization = Access control [OK]
Hint: Authorization means controlling user access rights [OK]
Common Mistakes:
  • Confusing authorization with authentication
  • Thinking authorization improves speed
  • Assuming it manages databases
2. Which of the following is the correct way to restrict access to a controller method in Spring Boot using annotations?
easy
A. @Component
B. @RequestMapping("/user")
C. @Autowired
D. @Secured("ROLE_USER")

Solution

  1. Step 1: Identify the annotation for authorization

    @Secured is used to specify roles allowed to access a method.

  2. Step 2: Understand other annotations

    @RequestMapping maps URLs, @Autowired injects dependencies, @Component marks beans.

  3. Final Answer:

    @Secured("ROLE_USER") -> Option D

  4. Quick Check:

    @Secured = Role-based access [OK]
Hint: Use @Secured to set role access on methods [OK]
Common Mistakes:
  • Using @RequestMapping for authorization
  • Confusing @Autowired with access control
  • Mixing @Component with security
3. Given this Spring Security configuration snippet, what will happen if a user without the ADMIN role tries to access /admin/dashboard? 
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated();
}
medium
A. The user will be redirected to the login page.
B. The user will get a 403 Forbidden error.
C. The user can access the page without restrictions.
D. The application will crash with an exception.

Solution

  1. Step 1: Analyze the role restriction

    The config restricts URLs starting with /admin/ to users with ADMIN role only.

  2. Step 2: Understand unauthorized access behavior

    Users without ADMIN role get a 403 Forbidden error, not redirected or crash.

  3. Final Answer:

    The user will get a 403 Forbidden error. -> Option B

  4. Quick Check:

    Unauthorized access = 403 error [OK]
Hint: No role match means 403 Forbidden error [OK]
Common Mistakes:
  • Thinking unauthorized users get redirected automatically
  • Assuming unrestricted access
  • Expecting application crash on access denial
4. Identify the error in this Spring Security method-level authorization code: 
@Secured("USER")
public String getUserData() {
    return "data";
}
medium
A. The role name should be prefixed with 'ROLE_'.
B. The method must return void for @Secured.
C. The annotation should be @Autowired instead of @Secured.
D. The method name cannot be getUserData.

Solution

  1. Step 1: Check role naming convention

    Spring Security expects roles to be prefixed with 'ROLE_', so "USER" should be "ROLE_USER".

  2. Step 2: Validate other options

    Return type can be String, @Autowired is unrelated, method name is valid.

  3. Final Answer:

    The role name should be prefixed with 'ROLE_'. -> Option A

  4. Quick Check:

    Role prefix 'ROLE_' required [OK]
Hint: Always prefix roles with 'ROLE_' in @Secured [OK]
Common Mistakes:
  • Omitting 'ROLE_' prefix in role names
  • Confusing @Secured with dependency injection
  • Thinking method name affects authorization
5. You want to allow only users with roles ADMIN or MANAGER to access a sensitive endpoint in Spring Boot. Which configuration snippet correctly implements this authorization rule? A) 
http.authorizeRequests()
    .antMatchers("/sensitive/**").hasAnyRole("ADMIN", "MANAGER")
    .anyRequest().authenticated();
B) 
http.authorizeRequests()
    .antMatchers("/sensitive/**").hasRole("ADMIN")
    .antMatchers("/sensitive/**").hasRole("MANAGER")
    .anyRequest().authenticated();
C) 
http.authorizeRequests()
    .antMatchers("/sensitive/**").permitAll()
    .anyRequest().authenticated();
D) 
http.authorizeRequests()
    .antMatchers("/sensitive/**").denyAll()
    .anyRequest().authenticated();
hard
A. Permit all users to access the sensitive path.
B. Use two separate hasRole calls for each role on the same path.
C. Use hasAnyRole with both roles in one call.
D. Deny all users access to the sensitive path.

Solution

  1. Step 1: Understand role checks for multiple roles

    hasAnyRole allows specifying multiple roles in one call to grant access if any match.

  2. Step 2: Analyze other options

    Two separate hasRole calls on same path override each other, permitAll allows everyone, denyAll blocks all.

  3. Final Answer:

    Use hasAnyRole with both roles in one call. -> Option C

  4. Quick Check:

    Multiple roles = hasAnyRole() [OK]
Hint: Use hasAnyRole() for multiple roles on one path [OK]
Common Mistakes:
  • Using multiple hasRole calls on same path
  • Allowing all users mistakenly
  • Denying all users when some should access