From 68b052218a3833ecd9462c698c05e9f3b9d12663 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 24 May 2023 10:10:00 -0600 Subject: [PATCH] Add @EnableTransactionManagement Details Closes gh-13152 --- .../migration/servlet/authorization.adoc | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc index 0d4363b265..51d6539a1c 100644 --- a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc @@ -104,6 +104,65 @@ should change to: ---- ==== +=== Change the `order` value in `@EnableTransactionManagement` + +`@EnableTransactionManagement` and `@EnableGlobalMethodSecurity` have the same `order` value, `Integer.MAX_VALUE`. +This means that their order in the Spring AOP Advisor chain relative to each other is undefined. + +This is often fine since most method security expressions don't require an open transaction to function correctly; however, historically it was sometimes necessary to ensure one happens before the other by setting their `order` values. + +`@EnableMethodSecurity` does not have an `order` value since it publishes multiple interceptors. +Indeed, it cannot attempt backward-compatibility with `@EnableTransactionManagement` since it cannot set all the interceptors to be in the same advisor chain location. + +Instead, the values for the `@EnableMethodSecurity` interceptors are based off of an offset of 0. +The `@PreFilter` interceptor has an order of 100; `@PostAuthorize`, 200; and so on. + +So, if after updating you find that your method security expressions are not working due to not having an open transaction, please change your transaction annotation definition from the following: + +==== +.Java +[source,java,role="primary"] +---- +@EnableTransactionManagement +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@EnableTransactionManagement +---- + +.Xml +[source,xml,role="secondary"] +---- + +---- +==== + +to: + +==== +.Java +[source,java,role="primary"] +---- +@EnableTransactionManagement(order = 0) +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@EnableTransactionManagement(order = 0) +---- + +.Xml +[source,xml,role="secondary"] +---- + +---- +==== + +In this way, the transaction AOP advice will be placed before Spring Security's advice and the transaction will be open when your authorization SpEL expressions are evaluated. + === Use a Custom `@Bean` instead of subclassing `DefaultMethodSecurityExpressionHandler` As a performance optimization, a new method was introduced to `MethodSecurityExpressionHandler` that takes a `Supplier` instead of an `Authentication`.