CODEWITHSUNDEEP
springspring-mvcspring-securityspring-cache
0x42
0x42

Reputation: 175

Spring: Does @PreAuthorize take precedence over @Cacheable?

I have a question about Spring Security and Spring Caching. Say I have a method and I have annotated the method with @PreAuthorize("condition") and @Cacheable(...), like this

@PreAuthorize("some authorization check")
@Cacheable(....)
public String calculate() {
  ....
}

Does @PreAuthorize (http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html) take precendence over @Cacheable (http://docs.spring.io/spring/docs/3.1.0.M1/spring-framework-reference/html/cache.html)? Does the framework guarantee that the @PreAuthorize security check will be evaluated, even if the result of the calculate() function has already been calculated and cached? Please, have in mind that this function can be called by, say, user A, then the value stored in cache, and then another user (user B) does an action that requires this function to be called again? Will the @PreAuthorize condition be evaluated or not?

From what I can find in the Spring Documenation, both @PreAuthorize and @Cacheable have the order of their advice defined as "Ordered.LOWEST_PRECEDENCE", which, I believe, means that the order in which they are evaluated is undefined?

Thanks!

Upvotes: 6

Views: 1391

Answers (1)

Will Keeling
Will Keeling

Reputation: 22994

Both the <security:global-method-security> and <cache:annotation-driven> tags that enable the @PreAuthorize and @Cacheable annotations, have an order attribute that determines the execution precedence of their AOP advice.

If you want to ensure that the security check always happens before the cache check "on the way in", then you should give it a higher precedence by setting the order attribute to a lower value.

<security:global-method-security order="1">

Upvotes: 6

Related Questions