If the authorization only makes sense to be given to the full list, then to do this you would have to wrap the list in a list wrapper that contains a getId()
method:
public class ListWrapper {
private List<Test> tests;
public Serializable getId() {
... some id ...
}
}
To validate one by one, you need to annotate a method only for one test, and not the method with the loop:
public void update(List<Test> tests) {
for (Test test : tests) {
update(test);
}
}
@PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')")
public void update(Test test) {
testRepository.save(test);
updateDeviceAcl(test);
}
If you are not using aspectJ compile time or load time weaving to apply the aspects, then put these two methods in separate beans and inject one into the other. Normal JDK or CGLIB proxies will not apply @PreAuthorize
(or any other aspect) on reentrant calls.