Description
AnnotationTransactionAttributeSource contains a flag whether to only consider public methods, set to true by default. I assume that stems from the times when JDK proxies where the primary way of applying proxies and with those only public methods can be intercepted anyway.
With CGLib proxies this is different. Package private methods can be invoked on the proxy and properly make their way through the AOP infrastructure. However, the lookup of transaction attributes is eagerly aborted due to the flag mentioned above. This creates confusing situations (assume @EnableGlobalMethodSecurity and @EnableTransactionManagement applied):
@Component
class MyClass {
@Secured(…)
@Transactional
void someMethod() { … }
}In this example, the security annotations are applied as the security infrastructure does not work with a flag like this and the advice is registered for the method invocation. The transactional annotations are not applied, as the method is not inspected for transactional annotations in the first place.
I wonder if it makes sense to flip the flag based on the proxyTargetClass attribute in @EnableTransactionManagement. If that is set to true, CGLib proxies are created and thus, transaction annotations should be regarded on package protected methods. This seems to be especially important in the context of Spring Boot setting this flag to true by default.
A current workaround is demonstrated in this commit, which uses a PriorityOrdered BeanPostProcessor to reflectively flip the flag, not considering any configuration as in that particular case we know we're always gonna run with CGLib proxies.