You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
+9-33Lines changed: 9 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -544,6 +544,14 @@ open class BankService {
544
544
The result is that the above method will only return the `Account` if its `owner` attribute matches the logged-in user's `name`.
545
545
If not, Spring Security will throw an `AccessDeniedException` and return a 403 status code.
546
546
547
+
[NOTE]
548
+
=====
549
+
Note that `@PostAuthorize` is not recommended for classes that perform database writes since that typically means that a database change was made before the security invariants were checked.
550
+
A common example of doing this is if you have `@Transactional` and `@PostAuthorize` on the same method.
551
+
Instead, read the value first, using `@PostAuthorize` on the read, and then perform the database write, should that read is authorized.
552
+
If you must do something like this, you can <<changing-the-order, ensure that `@EnableTransactionManagement` comes before `@EnableMethodSecurity`>>.
553
+
=====
554
+
547
555
[[use-prefilter]]
548
556
=== Filtering Method Parameters with `@PreFilter`
549
557
@@ -1795,39 +1803,7 @@ As already noted, there is a Spring AOP method interceptor for each annotation,
1795
1803
1796
1804
Namely, the `@PreFilter` method interceptor's order is 100, ``@PreAuthorize``'s is 200, and so on.
1797
1805
1798
-
The reason this is important to note is that there are other AOP-based annotations like `@EnableTransactionManagement` that have an order of `Integer.MAX_VALUE`.
1799
-
In other words, they are located at the end of the advisor chain by default.
1800
-
1801
-
At times, it can be valuable to have other advice execute before Spring Security.
1802
-
For example, if you have a method annotated with `@Transactional` and `@PostAuthorize`, you might want the transaction to still be open when `@PostAuthorize` runs so that an `AccessDeniedException` will cause a rollback.
1803
-
1804
-
To get `@EnableTransactionManagement` to open a transaction before method authorization advice runs, you can set ``@EnableTransactionManagement``'s order like so:
1805
-
1806
-
[tabs]
1807
-
======
1808
-
Java::
1809
-
+
1810
-
[source,java,role="primary"]
1811
-
----
1812
-
@EnableTransactionManagement(order = 0)
1813
-
----
1814
-
1815
-
Kotlin::
1816
-
+
1817
-
[source,kotlin,role="secondary"]
1818
-
----
1819
-
@EnableTransactionManagement(order = 0)
1820
-
----
1821
-
1822
-
Xml::
1823
-
+
1824
-
[source,xml,role="secondary"]
1825
-
----
1826
-
<tx:annotation-driven ref="txManager" order="0"/>
1827
-
----
1828
-
======
1829
-
1830
-
Since the earliest method interceptor (`@PreFilter`) is set to an order of 100, a setting of zero means that the transaction advice will run before all Spring Security advice.
1806
+
You can use the `offset` parameter on `@EnableMethodSecurity` to move all interceptors en masse to provide their advice earlier or later in a method invocation.
0 commit comments