Order of Spring @Transactional and Spring Security @PreAuthorize

Question

So I have something like the following:

public interface  MyService {

    @PreAuthorize("hasPermission(T(Name).OBJ, T(Action).GET)")
    MyObj getObj(String id);
}

@Service
public class MyServiceImpl implements MyService {

    @Override
    @Transactional
    public MyObj getObj(String id){

        return dao.get(id);
    }
}

@Controller
public class MyController {

    @Resource(name="myServiceImpl")
    private MyService service;

    public MyObj getObj(String id){

       return service.getObj(id);
    }
}

When the method getObj(id) is called, everything is wrapped in a transaction first, then authorization is checked. Is is possible to keep this configuration and first get Spring to check for authorization, then create the transaction if the user is authorized?

I've spent a good deal searching for an answer and could not find anything.

score 17 · Answer 1 · edited May 23 '17 at 12:26

17

You can use order attribute when configuring @Transactional:

<tx:annotation-driven order="100"/>

Experiment with lower values to move transaction aspect after the authorization one. Looks like <security:global-method-security/> also has this setting. The security aspect needs to have a higher value (lower priority) to be executed first.

Ah. I was looking for something along those lines, but could not find the specific place where the order parameter is defined. I think I know what I have to do now to solve the problem I'm having. Changing the order in the security tag will work best in my case. Thanks. – Jcx Jc Jan 13 '12 at 21:43
Is this still the answer in 2021? – Mathew Alden Apr 13 '21 at 19:03

Order of Spring @Transactional and Spring Security @PreAuthorize

1 Answers1

See also

Linked