Reputation: 4343
When does a Spring @PostFilter execute?
I am using spring's @Around annotations to provide caching of DAO calls and also using spring security's @PostFilter to restrict the viewing of certain records. However I am concerned that the cache could bypass the PostFilter and present a security problem.
How do I tell what order @PostFilter and @Around wrap the target object?
Upvotes: 1
Views: 1215
Answers (1)
Reputation: 242766
You can specify an order of Spring Security's aspects by setting the order attribute of <security:global-method-security> (I guess it's zero by default).
You can also specify an order of your own aspect as described in 7.2.4.7 Advice ordering:
The highest precedence advice runs first "on the way in" (so given two pieces of before advice, the one with highest precedence runs first). "On the way out" from a join point, the highest precedence advice runs last (so given two pieces of after advice, the one with the highest precedence will run second).
...
You can control the order of execution by specifying precedence. This is done in the normal Spring way by either implementing the org.springframework.core.Ordered interface in the aspect class or annotating it with the Order annotation. Given two aspects, the aspect returning the lower value from Ordered.getValue() (or the annotation value) has the higher precedence.
Upvotes: 3
Related Questions
- Valid use case for @PostAuthorize And @PostFilter annotations
- How do @PostFilter and @PreFilter work in Spring Security?
- @PostFilter on Optional
- Java Spring Security @PostFilter performance
- @PostFilter does not work with Spring @Aspect
- Spring Interceptor and AuthenticationFilter Order of Execution
- Does Spring Security do automatic filter Injection?
- Why @PostFilter don't work sometimes in Spring Security service?
- Spring Security @Postfilter not being triggered
- Spring security and @PostFilter