I want to seek a best practice for applying business rules when working with spring data rest.

Lets consider following scenario:

• I have a Customer and Order in @OneToMany relationship.
• I have a business rule saying that Customer needs to have verified flag set to be able to make orders

So I need to make sure that whenever someone POSTs to /orders the Customer making the call is verified.

I'm considering using beforeSave Validators autowiring other service/repositories into the Validator and check whatever needs to be checked.

Is there better way of achieving the same?

There are several ways to solve this. As far as my knowledge goes:

1. Usage of spring security annotations like @PreAuthorize. The intended use of these annotations is however for security purposes and you are mentioning business rules. I would use these for user authorization rules Spring data rest security chapter

2. The use of validators as you mentioned yourself. Spring data rest Validators

3. Use spring data rest events Spring data rest events. You can create global event handlers, however here you need to determine the entity type. I would go with Annotated event handlers to perform business logic Spring data rest annotated event handler

So just for the sake of world piece I'm adding my solution. Went with #2.

The documentation is pretty clear on how to proceed so just sharing few tips which may save you time.

1. You need to assign validators manually, auto-discovery doesn't work
2. Manually spelling event type is error prone, some helper Enum could be handy.

Like:

/** 
 * "beforeSave" gets called on PATCH/PUT methods
 * "beforeCreate" on POST
 * "beforeDelete" on DELETE
 */
enum Event {
    ON_CREATE("beforeCreate"), ON_UPDATE("beforeSave"), 
 ON_DELETE("beforeDelete");

    private String name;

    Event(String name) {
        this.name = name;
    }
} 

...

private static void addValidatorForEvents(ValidatingRepositoryEventListener eventListener, Validator validator, Event... events) {
    Arrays.asList(events).forEach(event -> eventListener.addValidator(event.name, validator));
}

One out of the box solution you can use to solve your Business rules related problems, is using Spring AOP. What you can do, is define an Annotation (say @X) and place that annotation on top of your POST call.

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
public @interface X{}

Next what you need to do is, create an aspect, and run your custom validation logic in this aspect as follows,

@Aspect
@Component
public class CustomAspect {

   //You can autowire beans here

    @Around("@annotation(qualified name of X)")
    public Object customMethod(ProceedingJoinPoint joinPoint) throws Throwable {
        flag = customLogic();
        if (flag){
           return joinPoint.proceed(); //return if logic passes, otherwise
        }else{
           throw new BusinessRuleException("Business rule violated");
        }
    }

    private boolean customLogic(){
     //your custom logic goes here
    }
}

And finally apply this annotation on top of any method in controller layer like:

@X
@RequestMapping(method = RequestMethod.POST, value = "do-something")
public void callSomething(HttpServletRequest request) throws Exception {
   // your business logic goes here
}

Only thing to note above is that you need to pass HttpServletRequest request explicitly to your controller method in order to AOP aspect get the same context for manipulation of user session related attributes like session_id, etc.

Above solution will help you add business rules on top of your Business Logic and help you with all kinds of pre validations you want to build in your web application. It is a pretty handy application of Spring AOP. Do reach out in case of any