Skip to content

Consider warning when EnableTransactionManagement has lower precedence than EnableMethodSecurity #17544

@jzheaux

Description

@jzheaux

The 5.8 migration guide advises applications to set @EnableTransationManagement(order = 0) in order to ensure that it has higher priority than @EnableMethodSecurity.

While this is technically correct, in practice and application may have other AOP modules to consider in order to determine where transaction management should go, which Security doesn't know about.

Due to this, it may be helpful for security to warn if @EnableTransactionManagement has a lower precedence than @EnableMethodSecurity, since that's all that Security recommends. It would do this only when prePostEnabled is true and would take into account the order value for @EnableTransactionManagement and offset for @EnableMethodSecurity.

I feel it should be a warning instead of an error since @PostAuthorize is not as commonly used on methods with side-effects and may not be used at all in an application.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: configAn issue in spring-security-configtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions