Spring @Transactional 和 Spring Security @PreAuthorize 的顺序 [英] Order of Spring @Transactional and Spring Security @PreAuthorize
问题描述
所以我有如下内容:
public interface MyService {
@PreAuthorize("hasPermission(T(Name).OBJ, T(Action).GET)")
MyObj getObj(String id);
}
<小时>
@Service
public class MyServiceImpl implements MyService {
@Override
@Transactional
public MyObj getObj(String id){
return dao.get(id);
}
}
<小时>
@Controller
public class MyController {
@Resource(name="myServiceImpl")
private MyService service;
public MyObj getObj(String id){
return service.getObj(id);
}
}
当方法 getObj(id)
被调用时,所有的东西首先被包装在一个事务中,然后检查授权.是否可以保留此配置并先让 Spring 检查授权,然后在用户授权时创建事务?
When the method getObj(id)
is called, everything is wrapped in a transaction first, then authorization is checked. Is is possible to keep this configuration and first get Spring to check for authorization, then create the transaction if the user is authorized?
我花了很多时间寻找答案,但一无所获.
I've spent a good deal searching for an answer and could not find anything.
推荐答案
配置@Transactional
时可以使用order
属性:
<tx:annotation-driven order="100"/>
在授权后尝试以较低的值移动交易方面.看起来
也有这个设置.安全方面需要有较高的值(较低的优先级)才能先执行.
Experiment with lower values to move transaction aspect after the authorization one. Looks like <security:global-method-security/>
also has this setting. The security aspect needs to have a higher value (lower priority) to be executed first.
这篇关于Spring @Transactional 和 Spring Security @PreAuthorize 的顺序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!