Add @EnableTransactionManagement Details

Closes gh-13152
spring-projects · May 24, 2023 · 68b0522 · 68b0522
1 parent 62ede47
commit 68b0522
Showing 1 changed file with 59 additions and 0 deletions.
diff --git a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc
@@ -104,6 +104,65 @@ should change to:
 ----
 ====
 
+=== Change the `order` value in `@EnableTransactionManagement`
+
+`@EnableTransactionManagement` and `@EnableGlobalMethodSecurity` have the same `order` value, `Integer.MAX_VALUE`.
+This means that their order in the Spring AOP Advisor chain relative to each other is undefined.
+
+This is often fine since most method security expressions don't require an open transaction to function correctly; however, historically it was sometimes necessary to ensure one happens before the other by setting their `order` values.
+
+`@EnableMethodSecurity` does not have an `order` value since it publishes multiple interceptors.
+Indeed, it cannot attempt backward-compatibility with `@EnableTransactionManagement` since it cannot set all the interceptors to be in the same advisor chain location.
+
+Instead, the values for the `@EnableMethodSecurity` interceptors are based off of an offset of 0.
+The `@PreFilter` interceptor has an order of 100; `@PostAuthorize`, 200; and so on.
+
+So, if after updating you find that your method security expressions are not working due to not having an open transaction, please change your transaction annotation definition from the following:
+
+====
+.Java
+[source,java,role="primary"]
+----
+@EnableTransactionManagement
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@EnableTransactionManagement
+----
+
+.Xml
+[source,xml,role="secondary"]
+----
+<tx:annotation-driven ref="txManager"/>
+----
+====
+
+to:
+
+====
+.Java
+[source,java,role="primary"]
+----
+@EnableTransactionManagement(order = 0)
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@EnableTransactionManagement(order = 0)
+----
+
+.Xml
+[source,xml,role="secondary"]
+----
+<tx:annotation-driven ref="txManager" order="0"/>
+----
+====
+
+In this way, the transaction AOP advice will be placed before Spring Security's advice and the transaction will be open when your authorization SpEL expressions are evaluated.
+
 === Use a Custom `@Bean` instead of subclassing `DefaultMethodSecurityExpressionHandler`
 
 As a performance optimization, a new method was introduced to `MethodSecurityExpressionHandler` that takes a `Supplier<Authentication>` instead of an `Authentication`.