I'm using spring security in my project. I have a service as follow:
public interface A {
@PostFilter("hasPermission(filterObject, 'read')")
List<MyEntity> method1();
@PostFilter("hasPermission(filterObject, 'read')")
List<MyEntity> method2();
}
In Implementation method1() I use method2(), But PostFilter in method2() don't work in this state.
Why?
Your observation is correct.
To process security annotations, Spring uses proxies. A proxy is a dynamically generated class that is put between the caller and the actual implementation. So when you use interface A you are not actually invoking your implementation directly, but a security layer.
By default Spring uses interface proxies; the proxy implements the interface in question. That means the the security is only invoked when you use A as an interface. The security is not enforced when a method is invoked from the implementation class itself, because the implementation does not know of the proxy.
By using class proxies, the security annotations can work when a method is invoked from the class itself, because then the proxy extends the implementation. However, still only annotations on public methods work.
For a more in-depth explanation of proxies, see Proxying mechanisms in Spring framework manual.