Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I get a @PostAuthorize failure to cause a rollback with @Transactional?

I have some complicated access restrictions in my application which basically require looking at a combination of the user's roles, as well as some deep properties of the domain objects, to make access decisions.

For some of my methods (specifically things like getItem(Integer id) and updateItem(Integer id, FormBean form)), I can't really know ahead of time if they're allowed to access that item, as I don't have it yet, so I had been using @PostAuthorize.

However, that latter example, updateItem(id, form) presents a challenge. I only want to allow them to update the form in certain specific cases. Right now, I do see the @PostAuthorize causing them to get an HTTP 403 response when they do something they shouldn't, but the database changes aren't rolled back.

Is it possible to get @PreAuthorize, @Transactional and @PostAuthorize to all play nicely together in this case? (I think maybe by adjusting the order of some advice on them... but I'm not totally clear on how that ordering should be done).

Or, has my system gotten complex enough that I should really bite the bullet on Domain ACLs? Unfortunately, the documentation on those feels rather thin...

like image 268
pioto Avatar asked Nov 19 '22 23:11

pioto


1 Answers

Spring framework used Ordered to define the ordering of beans. The easiest way to explicit define the order for @Transactional and @PostAuthorize are through the annotations:

@EnableTransactionManagement(order = 0)
@EnableGlobalMethodSecurity(prePostEnabled = true, order = 1)
like image 86
Andrey Ofim Avatar answered May 08 '23 10:05

Andrey Ofim