We have just migrated to Spring Security 3.0.8 from 2.0.8 (Can' upgrade to the latestversion which is 3.2.X as our core spring libraries are still on 3.0.X, which we plan to upgrade later when business permits).
I understand that we now have annotations for securing methods like @PreAuthorize, @PostAuthorize, @Secured, @PreFilter and @PostFilter.
I understand the use of @PreAuthorize, which really makes sense. But can't think of any valid use cases where you would ever use @PostAuthorize or @PostFilter annotation?
Can somebody who used it please explain to me a reasonable use-case for using them?
Thanks in advance!
Both the @PostAuthorize and @PostFilter are used, mostly, in combination with ACL. Where the @PostAuthorize will generate an exception if something is returned which one hasn't access to, the @PostFilter will remove the objects one doesn't have access to (in general useful when returning collections of elements).