Quiz Entry - updated: 2026.07.14
How do you implement role-based access control middleware?
Use a centralized middleware/interceptor that checks roles before the request reaches the controller.
Spring Security example (Java):
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.requestMatchers("/api/users/**").hasAnyRole("ADMIN", "USER")
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated() // Closed policy: deny by default
);
return http.build();
}
}
Why middleware, not manual checks?
| Approach | Pros | Cons |
|---|---|---|
| Middleware/Interceptor | Centralized, can't forget, consistent | Less flexible per-endpoint |
| Manual per-endpoint | Fine-grained control | Easy to forget on one endpoint |
Best practice: Use middleware for role-level access, add manual checks for ownership/resource-level access within the controller.