change transactional definition at run time in declarative Transaction Management

[sh_sadrai]

We are using Spring declarative transaction management. We need to intercept some how and change the transactional behaviour at run time based on user permission and if he has no permission change it to readonly. What is the best way to approach?

[dlmiles]

Are you sure it is possible to _ENFORCE_ your security policy in this way? This idea has been tested on a small scale? I'd like to know what happens, do you get some kind of exception back, when the transaction is set readOnly=true but performs an operation that has a side-effect?


Which transactionManager implementation are you currently using ?

What is the runtime environment of the application ? where is the user permission coming from (for example web-app, using session cookie setup via login process) ?


Have you considered not doing this with the transaction management but with a custom annotation and your own AOP interceptor ? Maybe you can configure the default action to take into account the readOnly=true/false value of transaction annoatation if your custom one is not present. It would seem to me transaction boundary and security boundary are seperate concerns just ripe for AOP use.

There is also spring-security project that might be able to provide such assistance.