Spring Security Consider warning when EnableTransactionManagement has lower precedence than EnableMethodSecurity

The 5.8 migration guide advises applications to set @EnableTransationManagement(order = 0) in order to ensure that it has higher priority than @EnableMethodSecurity.

While this is technically correct, in practice and application may have other AOP modules to consider in order to determine where transaction management should go, which Security doesn't know about.

Due to this, it may be helpful for security to warn if @EnableTransactionManagement has a lower precedence than @EnableMethodSecurity, since that's all that Security recommends. It would do this only when prePostEnabled is true and would take into account the order value for @EnableTransactionManagement and offset for @EnableMethodSecurity.

I feel it should be a warning instead of an error since @PostAuthorize is not as commonly used on methods with side-effects and may not be used at all in an application.

Comment From: therepanic

Hi, @jzheaux. I believe we can extend PrePostMethodSecurityConfiguration to log if @EnableTransactionManagement has a lower precedence?