Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Order of Spring @Transactional and Spring Security @PreAuthorize

So I have something like the following:

public interface  MyService {

    @PreAuthorize("hasPermission(T(Name).OBJ, T(Action).GET)")
    MyObj getObj(String id);
}

@Service
public class MyServiceImpl implements MyService {

    @Override
    @Transactional
    public MyObj getObj(String id){

        return dao.get(id);
    }
}

@Controller
public class MyController {

    @Resource(name="myServiceImpl")
    private MyService service;

    public MyObj getObj(String id){

       return service.getObj(id);
    }
}

When the method getObj(id) is called, everything is wrapped in a transaction first, then authorization is checked. Is is possible to keep this configuration and first get Spring to check for authorization, then create the transaction if the user is authorized?

I've spent a good deal searching for an answer and could not find anything.

like image 624
Jcx Jc Avatar asked Jan 13 '12 20:01

Jcx Jc


1 Answers

You can use order attribute when configuring @Transactional:

<tx:annotation-driven order="100"/>

Experiment with lower values to move transaction aspect after the authorization one. Looks like <security:global-method-security/> also has this setting. The security aspect needs to have a higher value (lower priority) to be executed first.

See also

  • Table 10.2. settings

  • 7.2.4.7 Advice ordering

like image 177
Tomasz Nurkiewicz Avatar answered Sep 22 '22 12:09

Tomasz Nurkiewicz