Authorization & Access Control In Spring Security

    Question 1SPRING SECURITY - Role vs Authority

    In Spring Security, what is the key difference between roles and authorities?

    Question 2SPRING SECURITY - Method Level Authorization

    What does the following annotation enforce?

    @PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long id) { ... }

    Question 3SPRING SECURITY - Expression-Based Access Control

    Which of the following is true about Spring Security’s expression-based access control?

    Question 4SPRING SECURITY - Code Snippet (HttpSecurity Rules)

    What does the following configuration do?

    http
  .authorizeHttpRequests()
  .requestMatchers("/admin/**").hasRole("ADMIN")
  .requestMatchers("/user/**").hasAnyRole("USER", "ADMIN")
  .anyRequest().authenticated();

    Question 5SPRING SECURITY - AccessDecisionManager

    Internally, what does `AccessDecisionManager` do?

    Question 6SPRING SECURITY - Code Snippet (PostAuthorize)

    What does the following annotation achieve?

    @PostAuthorize("returnObject.owner == authentication.name")
public Account getAccount(Long id) { ... }

    Question 7SPRING SECURITY - Hierarchical Roles

    If hierarchical roles are configured such that `ROLE_ADMIN > ROLE_USER`, what does it mean?

    Question 8SPRING SECURITY - Code Snippet (Custom Access Expression)

    What does this expression check?

    @PreAuthorize("#username == authentication.name")
public void updateProfile(String username) { ... }

    Question 9SPRING SECURITY - Voters in Access Control

    How does Spring Security’s `AccessDecisionManager` typically make decisions with multiple voters?

    Question 10SPRING SECURITY - Anonymous vs Authenticated Access

    What does the following rule configure?

    http
  .authorizeHttpRequests()
  .requestMatchers("/login", "/register").permitAll()
  .anyRequest().authenticated();