You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
+9-33Lines changed: 9 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -546,6 +546,14 @@ open class BankService {
546
546
The result is that the above method will only return the `Account` if its `owner` attribute matches the logged-in user's `name`.
547
547
If not, Spring Security will throw an `AccessDeniedException` and return a 403 status code.
548
548
549
+
[NOTE]
550
+
=====
551
+
Note that `@PostAuthorize` is not recommended for classes that perform database writes since that typically means that a database change was made before the security invariants were checked.
552
+
A common example of doing this is if you have `@Transactional` and `@PostAuthorize` on the same method.
553
+
Instead, read the value first, using `@PostAuthorize` on the read, and then perform the database write, should that read is authorized.
554
+
If you must do something like this, you can <<changing-the-order, ensure that `@EnableTransactionManagement` comes before `@EnableMethodSecurity`>>.
555
+
=====
556
+
549
557
[[use-prefilter]]
550
558
=== Filtering Method Parameters with `@PreFilter`
551
559
@@ -1797,39 +1805,7 @@ As already noted, there is a Spring AOP method interceptor for each annotation,
1797
1805
1798
1806
Namely, the `@PreFilter` method interceptor's order is 100, ``@PreAuthorize``'s is 200, and so on.
1799
1807
1800
-
The reason this is important to note is that there are other AOP-based annotations like `@EnableTransactionManagement` that have an order of `Integer.MAX_VALUE`.
1801
-
In other words, they are located at the end of the advisor chain by default.
1802
-
1803
-
At times, it can be valuable to have other advice execute before Spring Security.
1804
-
For example, if you have a method annotated with `@Transactional` and `@PostAuthorize`, you might want the transaction to still be open when `@PostAuthorize` runs so that an `AccessDeniedException` will cause a rollback.
1805
-
1806
-
To get `@EnableTransactionManagement` to open a transaction before method authorization advice runs, you can set ``@EnableTransactionManagement``'s order like so:
1807
-
1808
-
[tabs]
1809
-
======
1810
-
Java::
1811
-
+
1812
-
[source,java,role="primary"]
1813
-
----
1814
-
@EnableTransactionManagement(order = 0)
1815
-
----
1816
-
1817
-
Kotlin::
1818
-
+
1819
-
[source,kotlin,role="secondary"]
1820
-
----
1821
-
@EnableTransactionManagement(order = 0)
1822
-
----
1823
-
1824
-
Xml::
1825
-
+
1826
-
[source,xml,role="secondary"]
1827
-
----
1828
-
<tx:annotation-driven ref="txManager" order="0"/>
1829
-
----
1830
-
======
1831
-
1832
-
Since the earliest method interceptor (`@PreFilter`) is set to an order of 100, a setting of zero means that the transaction advice will run before all Spring Security advice.
1808
+
You can use the `offset` parameter on `@EnableMethodSecurity` to move all interceptors en masse to provide their advice earlier or later in a method invocation.
0 commit comments