I am trying to learn and apply to my Spring Boot project some Spring Security ACL controls. Thus I have tried to reuse the code snippet from Spring Security reference, which I have adapted a little bit to my project needs.
I have the following component to populate the database with some initial values at start time.
@Component
public class AppBootstrap {
private Authority adminAuth;
private User admin;
private TimeSheet timeSheetAdmin;
private final JdbcMutableAclService jdbcMutableAclService;
private final PlatformTransactionManager transactionManager;
@Autowired
public AppBootstrap(JdbcMutableAclService jdbcMutableAclService, PlatformTransactionManager transactionManager) {
this.jdbcMutableAclService = jdbcMutableAclService;
this.transactionManager = transactionManager;
}
@Bean
public CommandLineRunner initialAuthorities(AuthorityRepository authorityRepository) {
return args -> {
adminAuth = new Authority(ROLE_ADMIN);
authorityRepository.save(adminAuth);
};
}
@Bean
public CommandLineRunner initialUsers(UserRepository userRepository) {
return args -> {
admin = new User("admin",
"{bcrypt}$2a$08$lDnHPz7eUkSi6ao14Twuau08mzhWrL4kyZGGU5xfiGALO/Vxd5DOi", "admin",
"admin", "admin@example.com", true, getDate(2016, JANUARY, 1));
admin.setAuthorities(asList(adminAuth));
userRepository.save(admin);
};
}
@Bean
public CommandLineRunner initialTimeSheets(TimeSheetRepository timeSheetRepository) {
return args -> {
timeSheetAdmin = new TimeSheet(LocalDate.of(2016, MARCH, 1), admin);
timeSheetRepository.save(timeSheetUser);
};
}
@Bean
public CommandLineRunner initialRights() {
return args -> grantPermission(admin, timeSheetAdmin, ADMINISTRATION);
}
MutableAcl grantPermission(User user, TimeSheet timeSheet, Permission p) {
TransactionTemplate transactionTemplate = new TransactionTemplate(transactionManager);
SecurityContext securityContext = SecurityContextHolder.getContext();
var authorities = user.getAuthorities().stream().map(auth -> auth.getName().toString()).collect(toList());
Authentication authentication = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPass(), AuthorityUtils.createAuthorityList(authorities.toArray(new String[]{})));
securityContext.setAuthentication(authentication);
ObjectIdentity oiTimeSheet = new ObjectIdentityImpl(TimeSheet.class, timeSheet.getId());
Sid sidAdmin = new PrincipalSid(user.getUsername());
MutableAcl acl;
try {
acl = (MutableAcl) jdbcMutableAclService.readAclById(oiTimeSheet);
} catch (NotFoundException nfe) {
acl = transactionTemplate.execute(status -> jdbcMutableAclService.createAcl(oiTimeSheet));
}
acl.insertAce(acl.getEntries().size(), p, sidAdmin, true);
// updating permission
MutableAcl finalAcl = acl;
return transactionTemplate.execute(status -> jdbcMutableAclService.updateAcl(finalAcl));
}
}
This method is ran every time the application context is refreshed. I can see that, if I run just one test method (or test class), it runs successfully. These tests are end to end tests (@RunWith(SpringRunner.class) @SpringBootTest). Also, no problem to run my @SpringBootApplication alone. But if I run all tests at once, almost all @SpringBootTest are failing with the following stack trace
java.lang.IllegalStateException: Failed to load ApplicationContext
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:125)
at org.springframework.test.context.support.DefaultTestContext.getApplicationContext(DefaultTestContext.java:108)
at org.springframework.test.context.web.ServletTestExecutionListener.setUpRequestContextIfNecessary(ServletTestExecutionListener.java:190)
at org.springframework.test.context.web.ServletTestExecutionListener.prepareTestInstance(ServletTestExecutionListener.java:132)
at org.springframework.test.context.TestContextManager.prepareTestInstance(TestContextManager.java:246)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.createTest(SpringJUnit4ClassRunner.java:227)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner$1.runReflectiveCall(SpringJUnit4ClassRunner.java:289)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.methodBlock(SpringJUnit4ClassRunner.java:291)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:246)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)
at org.junit.runners.Suite.runChild(Suite.java:128)
at org.junit.runners.Suite.runChild(Suite.java:27)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
Caused by: java.lang.IllegalStateException: Failed to execute CommandLineRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:800)
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:781)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:335)
at org.springframework.boot.test.context.SpringBootContextLoader.loadContext(SpringBootContextLoader.java:139)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContextInternal(DefaultCacheAwareContextLoaderDelegate.java:99)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:117)
... 32 more
Caused by: org.springframework.dao.DataIntegrityViolationException: PreparedStatementCallback; SQL [insert into acl_entry (acl_object_identity, ace_order, sid, mask, granting, audit_success, audit_failure)values (?, ?, ?, ?, ?, ?, ?)Cannot add or update a child row: a foreign key constraint fails (`iresource2test`.`acl_entry`, CONSTRAINT `fk_acl_entry_object` FOREIGN KEY (`acl_object_identity`) REFERENCES `acl_object_identity` (`id`)); nested exception is java.sql.BatchUpdateException: Cannot add or update a child row: a foreign key constraint fails (`iresource2test`.`acl_entry`, CONSTRAINT `fk_acl_entry_object` FOREIGN KEY (`acl_object_identity`) REFERENCES `acl_object_identity` (`id`))
at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:246)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:72)
at org.springframework.jdbc.core.JdbcTemplate.translateException(JdbcTemplate.java:1402)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:620)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:634)
at org.springframework.jdbc.core.JdbcTemplate.batchUpdate(JdbcTemplate.java:924)
at org.springframework.security.acls.jdbc.JdbcMutableAclService.createEntries(JdbcMutableAclService.java:138)
at org.springframework.security.acls.jdbc.JdbcMutableAclService.updateAcl(JdbcMutableAclService.java:363)
at com.roberto.bootstrap.AppBootstrap.lambda$grantPermission$6(AppBootstrap.java:144)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140)
at com.roberto.bootstrap.AppBootstrap.grantPermission(AppBootstrap.java:144)
at com.roberto.bootstrap.AppBootstrap.lambda$initialRights$3(AppBootstrap.java:115)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:797)
... 37 more
Caused by: java.sql.BatchUpdateException: Cannot add or update a child row: a foreign key constraint fails (`iresource2test`.`acl_entry`, CONSTRAINT `fk_acl_entry_object` FOREIGN KEY (`acl_object_identity`) REFERENCES `acl_object_identity` (`id`))
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:488)
at com.mysql.cj.util.Util.handleNewInstance(Util.java:210)
at com.mysql.cj.util.Util.getInstance(Util.java:185)
at com.mysql.cj.util.Util.getInstance(Util.java:192)
at com.mysql.cj.jdbc.exceptions.SQLError.createBatchUpdateException(SQLError.java:218)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeBatchSerially(ClientPreparedStatement.java:864)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeBatchInternal(ClientPreparedStatement.java:453)
at com.mysql.cj.jdbc.StatementImpl.executeBatch(StatementImpl.java:839)
at com.zaxxer.hikari.pool.ProxyStatement.executeBatch(ProxyStatement.java:128)
at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.executeBatch(HikariProxyPreparedStatement.java)
at org.springframework.jdbc.core.JdbcTemplate.lambda$batchUpdate$2(JdbcTemplate.java:938)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:605)
... 46 more
Caused by: java.sql.SQLIntegrityConstraintViolationException: Cannot add or update a child row: a foreign key constraint fails (`iresource2test`.`acl_entry`, CONSTRAINT `fk_acl_entry_object` FOREIGN KEY (`acl_object_identity`) REFERENCES `acl_object_identity` (`id`))
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:115)
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)
at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeBatchSerially(ClientPreparedStatement.java:843)
... 52 more
I have a couple of questions:
Thanks! :-)
As this question did not become so popular, I tried a different approach which seems to work great :-)
First I created a new ACLService class, to isolate all interactions with JdbcMutableAclService.
package com.roberto.security.service;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.acls.model.*;
import org.springframework.stereotype.Service;
/**
* Service class to handle ACL permissions.
*/
@Service
public class ACLService {
private final MutableAclService mutableAclService;
@Autowired
public ACLService(MutableAclService mutableAclService) {
this.mutableAclService = mutableAclService;
}
/**
* Insert an ACL entry
* @param oid represents the model object
* @param recipient represents the principal (user, group of users, etc)
* @param permission quite explicit name...
* @return the new ACL database entry
*/
public MutableAcl addPermission(ObjectIdentity oid, Sid recipient, Permission permission) {
MutableAcl acl;
try {
acl = (MutableAcl) mutableAclService.readAclById(oid);
} catch (NotFoundException nfe) {
acl = mutableAclService.createAcl(oid);
}
acl.insertAce(acl.getEntries().size(), permission, recipient, true);
return mutableAclService.updateAcl(acl);
}
}
Then I created another integration test which runs properly, without the IllegalStateException. Now I will just have to call it from my bootstrap class.
package com.roberto.security.service;
import com.roberto.model.TimeSheet;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.*;
import org.springframework.security.test.context.support.WithUserDetails;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.transaction.annotation.Transactional;
import java.util.List;
import static org.junit.Assert.*;
import static org.springframework.test.annotation.DirtiesContext.ClassMode.BEFORE_EACH_TEST_METHOD;
/**
* This test handles basic interaction between our codebase
* Spring Security ACL and the underlying database model
*/
@SpringBootTest
@RunWith(SpringRunner.class)
public class ACLServiceIntegrationTest {
private Authentication authentication;
private ObjectIdentity oid ;
private Sid sid;
private Permission administration = BasePermission.ADMINISTRATION;
@Autowired
private ACLService aclService;
@Autowired
private MutableAclService mutableAclService;
@Autowired
private PermissionEvaluator permissionEvaluator;
@Before
public void setUp() {
authentication = TestSecurityContextHolder.getContext().getAuthentication();
sid = new PrincipalSid(((JwtUser) authentication.getPrincipal()).getUsername());
oid = new ObjectIdentityImpl(TimeSheet.class, 1);
}
@Test
@WithUserDetails("admin")
public void testBeans() {
assertNotNull(aclService);
assertNotNull(mutableAclService);
assertNotNull(permissionEvaluator);
}
@Test
@Transactional
@WithUserDetails("admin")
@DirtiesContext(methodMode = AFTER_METHOD)
public void addPermissionIntegrationTest() {
assertFalse(permissionEvaluator.hasPermission(authentication, oid.getIdentifier(), oid.getType(), administration));
MutableAcl acl = aclService.addPermission(oi, sid, administration);
assertTrue(permissionEvaluator.hasPermission(authentication, oid.getIdentifier(), oid.getType(), administration));
assertEquals(TimeSheet.class.toString().split(" ")[1], acl.getObjectIdentity().getType());
assertTrue(acl.getEntries().stream().anyMatch(e -> e.getSid().equals(sid) && e.getPermission().equals(administration)));
assertTrue(acl.isGranted(List.of(administration), List.of(sid), true));
}
}