Order of Spring @Transactional and Spring Security @PreAuthorize

Question

So I have something like the following:

public interface  MyService {

    @PreAuthorize("hasPermission(T(Name).OBJ, T(Action).GET)")
    MyObj getObj(String id);
}

---

@Service
public class MyServiceImpl implements MyService {

    @Override
    @Transactional
    public MyObj getObj(String id){

        return dao.get(id);
    }
}

---

@Controller
public class MyController {

    @Resource(name="myServiceImpl")
    private MyService service;

    public MyObj getObj(String id){

       return service.getObj(id);
    }
}

When the method getObj(id) is called, everything is wrapped in a transaction first, then authorization is checked. Is is possible to keep this configuration and first get Spring to check for authorization, then create the transaction if the user is authorized?

I've spent a good deal searching for an answer and could not find anything.

Answer 1

You can use order attribute when configuring @Transactional:

<tx:annotation-driven order="100"/>

Experiment with lower values to move transaction aspect after the authorization one. Looks like <security:global-method-security/> also has this setting. The security aspect needs to have a higher value (lower priority) to be executed first.

See also

• Table 10.2. settings

• 7.2.4.7 Advice ordering