concept @postfilter in category spring
This is an excerpt from Manning's book Spring Security in Action MEAP V07.
Using the @PreFilter annotation in the case of repositories is merely the same thing as applying this annotation at any other layer of your application. But when it comes to post-filtering, the situation changes. Using @PostFilter on repository methods technically works fine, but it’s rarely a good choice for applying filtering from the performance point of view.
Say you have an application managing the documents of your company. The developer needs to implement a feature where all the documents are listed on a web page after the user logs in. The developer decides to use the findAll() method of the Spring Data repository and annotates it with @PostFilter to allow Spring Security to filter the documents such that the method returns only those owned by the currently logged. This approach is clearly wrong, as it allows the application to retrieve from the database all the records and then filter them itself. If we have a large number of documents calling findAll() without pagination could directly lead to an OutOfMemoryError. Even if the number of documents isn’t that big to fill up the heap, it’s still less performant to filter the records in your application rather than retrieving from the beginning only what you need from the database (figure 17.9).
Figure 17.10 In our scenario, we start by implementing the application using @PostFilter to filter the products based on their owner. Then, we change the implementation to add the condition directly on the query. This way, we make sure the application only gets from the source the needed records.
