One of the Spring Security question asked to me on a recent interview was about is it enough to hide portions of JSP to protect a URL from unauthorized access in Spring security? First of all I didn't understand the question, so I ask him to clarify a bit more. He explained to me that there are different roles in his application e.g. DEVELOPER, ADMIN, TRADER, OPERATION and each role can only see the functionalities based upon their role. For example, an ADMIN has a right to add or remove new users into the system, while DEVELOPER can only see test order, but OPERATION can see all orders.