Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add @EnableTransactionManagement Details

Browse Source 
Closes gh-13152
This commit is contained in:
Josh Cummings 2023-05-24 10:10:00 -06:00
parent 62ede47d86
commit 68b052218a
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
docs/modules/ROOT/pages/migration/servlet/authorization.adoc
View File

@ -104,6 +104,65 @@ should change to:
---- ----
==== ====
=== Change the `order` value in `@EnableTransactionManagement`
`@EnableTransactionManagement` and `@EnableGlobalMethodSecurity` have the same `order` value, `Integer.MAX_VALUE`.
This means that their order in the Spring AOP Advisor chain relative to each other is undefined.
This is often fine since most method security expressions don't require an open transaction to function correctly; however, historically it was sometimes necessary to ensure one happens before the other by setting their `order` values.
`@EnableMethodSecurity` does not have an `order` value since it publishes multiple interceptors.
Indeed, it cannot attempt backward-compatibility with `@EnableTransactionManagement` since it cannot set all the interceptors to be in the same advisor chain location.
Instead, the values for the `@EnableMethodSecurity` interceptors are based off of an offset of 0.
The `@PreFilter` interceptor has an order of 100; `@PostAuthorize`, 200; and so on.
So, if after updating you find that your method security expressions are not working due to not having an open transaction, please change your transaction annotation definition from the following:
====
.Java
[source,java,role="primary"]
----
@EnableTransactionManagement
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableTransactionManagement
----
.Xml
[source,xml,role="secondary"]
----
<tx:annotation-driven ref="txManager"/>
----
====
to:
====
.Java
[source,java,role="primary"]
----
@EnableTransactionManagement(order = 0)
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableTransactionManagement(order = 0)
----
.Xml
[source,xml,role="secondary"]
----
<tx:annotation-driven ref="txManager" order="0"/>
----
====
In this way, the transaction AOP advice will be placed before Spring Security's advice and the transaction will be open when your authorization SpEL expressions are evaluated.
=== Use a Custom `@Bean` instead of subclassing `DefaultMethodSecurityExpressionHandler` === Use a Custom `@Bean` instead of subclassing `DefaultMethodSecurityExpressionHandler`
As a performance optimization, a new method was introduced to `MethodSecurityExpressionHandler` that takes a `Supplier<Authentication>` instead of an `Authentication`. As a performance optimization, a new method was introduced to `MethodSecurityExpressionHandler` that takes a `Supplier<Authentication>` instead of an `Authentication`.