We have two service methods in two different services in our spring application which are both annotated with @Transactional(isolation = Isolation.SERIALIZABLE). Both methods read and write data to and from our DB and work with the same entities. All querying is done through spring data repositories.
Both methods also have @PreAuthorize(@customPermissionEvaluator.evaluate(...)) annotations on them which call a custom methods. Inside the permission evaluator we access the database through spring data repositories to read data as well. The permission evaluator methods themselves don't have any transactional annotations.
This pattern creates an issue for us when the two service methods which are @Transactional(isolation = Isolation.SERIALIZABLE) get called at the same time. If this happens we quickly get into data consistency issues with phantom reads (the two service methods operate on the same entities). However we get the right transaction handling as soon as we remove the @PreAuthorize annotations from both methods. It seems like the entities loaded in the @PreAuthorize might be cached by hibernate and they don't get a refresh when we query them again in the service methods.
Underneath we're running a mysql database.
Does anyone have any idea what is going on here or has anyone had a similar issue in spring before? Are there any rules/restrictions regarding data base access from custom @PreAuthorize methods? We are really lost at this point... Thanks!
