-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #13152
Comments
Same issue for. After reading carefully the migration guide, it seems this new behaviour is not mentioned while impacts are real under the hood (the security checks are not performed in the same transaction as the protected business method). Any recommendation or advice? |
Thanks for the report, @kris2kris.
The reason your app is breaking with Instead what happens is the authorization interceptors are ordered from 0, going up by 100 for each interceptor, similar to the security filter chain. Given that, you can define your @EnableTransactionManagement(order = 0) Yes, I think folks would benefit from this being clearer in the migration guide and the reference documentation, so I'll use this ticket to add that. Also, I think it would be helpful to add a value like |
Hello,
I perform the migration from EnableGlobalMethodSecurity to EnableMethodSecurity.
So I :
I have a method with two annotations Transactionnal and PreAuthorize.
PreAuthorize call my custom hasPermission method.
Before migration my custom hasPermission method is executed after Transaction creation.
After migration my custom hasPermission method is executed before Transaction creation, so I cannot use some operation like a findAll which return a stream.
The workaround that I found is to change the order of annotation EnableTransactionManagement to put HIGHEST_PRECEDENCE.
Are you aware about this problem ? Is there a better way to fix it ? I didn't find anything in migration guide about this.
I use spring boot 3.0.6
You can find a simple sample here https://github.com/kris2kris/migration-method-security
Once started you must perform a get on localhost:8080/entities to reproduce the problem.
If you switch comment in Config.class and rollback on old version it works, if you uncomment the order EnableTransactionManagement it also works
The text was updated successfully, but these errors were encountered: