Spring Security Reference should advise avoiding post-authorization on writes

When an application does the following:

@PostAuthorize("returnObject.owner == authentication.name")
@Transactional
public Widget updateWidget(...) {
    // ...
}

It is effectively writing to the database and then checking the security of that write afterward. While it's possible to configure an application to rollback this update, a stronger security posture is to authorize the read separately first before attempting a write:

// WidgetRepository.java
@PostAuthorize("returnObject.owner == authentication.name")
Widget findById(...);

// WidgetController.java
@Transactional
public Widget updateWidget(...) {
    Widget widget = this.widgets.findById(...); // throws exception if unauthorized, so write is never performed
    // ...
}

We should update the documentation about @PostAuthorize to recommend this approach.