Intuitively @PreAuthorize made more sense to me, mainly to save the object lookup I guess. I did not even consider @Post before.
The doc indeed specifies "Less commonly, you may wish to perform an access-control check after the method has been invoked. This can be achieved using the @PostAuthorize annotation. To access the return value from a method, use the built–in name returnObject in the expression." which probably made me forget about it!
But now that you mention it, it just works and can indeed be useful in some cases where info on the returned object have to be used.
And it's a welcome alternative as still I can't make head or tails of SpEL for now, my IDE doesn't seem to let me debug further down ExpressionUtils.evaluateAsBoolean(...). That's where I can lookup SpelEvaluationException.
doesn't seem to work, I get a
@PreAuthorize("hasPermission(#id, T(SpelUtil).name(#entity), read)")
org.springframework.expression.spel.SpelEvaluationException: EL1005E:(pos 0): Type cannot be found 'SpelUtil'
@PreAuthorize("hasPermission(#id, #entity.getCanonicalName(), read)")
<T extends ModelObject> T getEntity(@NotNull Class<T> entity, @NotNull Serializable id);
org.springframework.expression.spel.SpelEvaluationException: EL1004E:(pos 0): Method call: Method getCanonicalName() cannot be found on com.company.common.model.member.Member type
which worked but evaluated the targetType as 'java.lang.Class'. This seems quite inconsistent to me.
@PreAuthorize("hasPermission(#id, #entity.getClass().getCanonicalName(), read)")
Anyways, I'd be very interested in getting 'T(SpelUtil).name(#entity)' to be evaluated successfully.
I thing it'd be a good idea to include in the doc a syntax example to work with generics.