JTA Entities not supported

[Nestor Urquiza]

We have been using JOTM library successfully in our spring + jpa + hibernate project.

When we secure JPA using jpasecurity a simple get on the secured entity will fail with the below error:

java.lang.IllegalStateException: A JTA EntityManager cannot use getTransaction()

Here is the stacktrace corresponding to ${client.name} invocation from JSP:

Caused by: java.lang.IllegalStateException: A JTA EntityManager cannot use getTransaction()
at org.hibernate.ejb.AbstractEntityManagerImpl.getTransaction(AbstractEntityManagerImpl.java:814)
at net.sf.jpasecurity.persistence.compiler.EntityManagerEvaluator.evaluate(EntityManagerEvaluator.java:105)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:866)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:98)
at net.sf.jpasecurity.jpql.parser.JpqlSubselect.jjtAccept(JpqlSubselect.java:18)
at net.sf.jpasecurity.jpql.parser.SimpleNode.visit(SimpleNode.java:113)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:294)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:98)
at net.sf.jpasecurity.jpql.parser.JpqlIn.jjtAccept(JpqlIn.java:18)
at net.sf.jpasecurity.jpql.parser.SimpleNode.visit(SimpleNode.java:113)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:754)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:98)
at net.sf.jpasecurity.jpql.parser.JpqlBrackets.jjtAccept(JpqlBrackets.java:18)
at net.sf.jpasecurity.jpql.parser.SimpleNode.visit(SimpleNode.java:113)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:197)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:98)
at net.sf.jpasecurity.jpql.parser.JpqlOr.jjtAccept(JpqlOr.java:18)
at net.sf.jpasecurity.jpql.parser.SimpleNode.visit(SimpleNode.java:113)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:754)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.visit(QueryEvaluator.java:98)
at net.sf.jpasecurity.jpql.parser.JpqlBrackets.jjtAccept(JpqlBrackets.java:18)
at net.sf.jpasecurity.jpql.parser.SimpleNode.visit(SimpleNode.java:113)
at net.sf.jpasecurity.jpql.compiler.QueryEvaluator.evaluate(QueryEvaluator.java:134)
at net.sf.jpasecurity.security.EntityFilter.isAccessible(EntityFilter.java:108)
at net.sf.jpasecurity.persistence.DefaultSecureEntityManager.isAccessible(DefaultSecureEntityManager.java:281)
at net.sf.jpasecurity.entity.SecureEntityDecorator.refresh(SecureEntityDecorator.java:101)
at net.sf.jpasecurity.entity.SecureEntityDecorator.refresh(SecureEntityDecorator.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at net.sf.jpasecurity.proxy.CgLibSecureEntityProxyFactory$CgLibSecureEntityMethod.invoke(CgLibSecureEntityProxyFactory.java:134)
at net.sf.jpasecurity.entity.SecureEntityInterceptor.intercept(SecureEntityInterceptor.java:70)
at net.sf.jpasecurity.proxy.CgLibSecureEntityProxyFactory$CgLibMethodInterceptor.intercept(CgLibSecureEntityProxyFactory.java:102)
at com.nestorurquiza.model.Client$$EnhancerByCGLIB$$e6ceed17.refresh(<generated>)
at net.sf.jpasecurity.entity.SecureEntityInterceptor.intercept(SecureEntityInterceptor.java:68)
at net.sf.jpasecurity.proxy.CgLibSecureEntityProxyFactory$CgLibMethodInterceptor.intercept(CgLibSecureEntityProxyFactory.java:102)
at com.nestorurquiza.model.Client$$EnhancerByCGLIB$$e6ceed17.getName(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.el.BeanELResolver.getValue(BeanELResolver.java:62)

[Arne Limburg]

Can you please give the security rule for client.

This is a bug. You can work around this bug by preloading the entities that are needed to evaluate the rule (i.e. execute the subselect of your rule before the actual query).

[Nestor Urquiza]

The rule (commented out below) does work when I do not use JTA. The other uncommented rules do work in any case:

<access-rule>GRANT CREATE READ        ACCESS TO Client c</access-rule>
    <access-rule>GRANT                    ACCESS TO Client c WHERE 'ROLE_ADMIN' IN (CURRENT_ROLES)</access-rule>
<!-    <access-rule>GRANT                    ACCESS TO Client c WHERE c.id IN (SELECT cs.client.id FROM ClientStaffing cs, ClientStatus cst, Employee e WHERE e.email=CURRENT_PRINCIPAL AND cs.endDate IS NULL AND ( cst.name &lt;&gt; 'Closed' OR cst.name IS NULL) )</access-rule>->

We preload all the entities when the application starts. We use a custom spring PersistenceUnitPostProcessor that loads them all by package convention instead of defining them in XML (I always favor convention over configuration when possible)

[Nestor Urquiza]

I am not sure if I can go around this issue then. Should I submit a bug?

[Arne Limburg]

Regarding the workaround: Can you tell me how the involved entities are connected?

[Nestor Urquiza]

Client
@OneToMany(mappedBy = "client", fetch = FetchType.LAZY, cascade = {CascadeType.PERSIST, CascadeType.MERGE})
    private List<ClientStaffing> staffing;

@ManyToOne(fetch = FetchType.LAZY)
@ForeignKey(name = "FK_client_current_client_status_id")
@Fetch(FetchMode.JOIN)
private ClientStatus currentStatus;

ClientStaffing
@NotNull(message = "validation.mandatoryField")
@ManyToOne(fetch = FetchType.LAZY, optional = false)
@ForeignKey(name = "FK_client_staffing_client_id")
private Client client;

@NotNull(message = "validation.mandatoryField")
@ManyToOne(fetch = FetchType.LAZY, optional = false)
    @ForeignKey(name = "FK_client_staffing_employee_id")
private Employee employee;

ClientStatus has no references to any of the above

Employee has no references to any of the above

[Arne Limburg]

So can you please formulate your access rule in human words? ;-)
Is this right:
You want to grant access to a client that contains a ClientStaffing with a null end date. Additionally a single ClientStatus must exist anywhere in the database with name 'closed' or null and the current user must exist as an employee?

[Arne Limburg]

Note that in your rule the client status is not connected to the client!

[Nestor Urquiza]

You are correct about the rule being missing a relationship however that will always make the number of authorized user undesirably bigger. Thanks for the correction.

Let us get back to the issue because even with a correct query this will still fail and I have to say this does not fail with LOCAL transaction type for some reason i can not tell (that is the only difference between my unit tests and my servlet container, tests are not using JTA)

So my rule is a little bit complex, give access to a client if:
1. The currently logged employee (e.email=CURRENT_PRINCIPAL)
2. works for the client ( cs.employee=e AND cs.client=c ),
3. he is still active ( cs.endDate IS NULL ),
4. and the client status is not 'Closed' or is unknown ( cst.name &lt;&gt; 'Closed' OR cst.name IS NULL )

I believe this query should do the trick, however it fails with the very same stacktrace I posted before:

GRANT ACCESS TO Client c WHERE c.id IN (SELECT cs.client.id FROM ClientStaffing cs, ClientStatus cst, Employee e WHERE e.email=CURRENT_PRINCIPAL AND cs.employee=e AND cs.client=c AND cs.endDate IS NULL AND ( cst.name <> 'Closed' OR cst.name IS NULL) )

[Nestor Urquiza]

And just in case you are wondering if I use something like the below (relying on the external Client c definition) it breaks with "Mapping not found for type c.staffing"

<access-rule>GRANT ACCESS TO Client c WHERE c.id IN (SELECT cs.client.id FROM c.staffing cs, c.cst cst, c.e e WHERE e.email=CURRENT_PRINCIPAL AND  cs.endDate IS NULL AND ( cst.name &lt;&gt; 'Closed' OR cst.name IS NULL) )</access-rule>

[Arne Limburg]

Great, please rewrite your access rule like this and see, if that works:

GRANT ACCESS TO Client c WHERE EXISTS
    (SELECT c FROM Client c INNER JOIN c.staffing cs
     WHERE cs.employee.email = CURRENT_PRICIPAL
       AND cs.endDate IS NULL
       AND (c.currentStatus.name <> 'Closed' OR c.currentStatus.name IS NULL)

Additionally the explanation, why it works within your tests, but not on the server:
The access rules are not only appended to JPQL, but also evaluated in memory in certain cases (i.e. when you persist or update an entity or the first time you navigate through a relation). With some rules that contain subselects evaluation in memory is not possible and in this case a second EntityManager is opened to evaluate the rule. This is not possible in your server environment, which leads to the exception. Rewriting the rule like I suggested should make it evaluatable in memory and the problem is gone, hopefully.

[Arne Limburg]

Oops, this time it was me missing the connection ;-) The rule should read:

GRANT ACCESS TO Client client WHERE EXISTS
    (SELECT c FROM Client c INNER JOIN c.staffing cs
     WHERE c = client
       AND cs.employee.email = CURRENT_PRICIPAL
       AND cs.endDate IS NULL
       AND (c.currentStatus.name <> 'Closed' OR c.currentStatus.name IS NULL)

[Nestor Urquiza]

EXISTS won't work. Look at the exception below:

2011-06-11 11:53:37,661 INFO  - <using net.sf.jpasecurity.mapping.DefaultPropertyAccessStrategyFactory as PropertyAccessStrategy factory>
2011-06-11 11:53:37,692 INFO  - <using net.sf.jpasecurity.spring.authentication.SpringAuthenticationProvider as authentication provider>
2011-06-11 11:53:37,695 INFO  - <using net.sf.jpasecurity.security.rules.DefaultAccessRulesProvider as access rules provider>
2011-06-11 11:53:42,023 WARN  - <Caught exception while allowing TestExecutionListener  to process 'before' execution of test method  for test instance >
org.springframework.transaction.CannotCreateTransactionException: Could not open JPA EntityManager for transaction; nested exception is javax.persistence.PersistenceException
at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:382)
at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:371)
at org.springframework.test.context.transaction.TransactionalTestExecutionListener$TransactionContext.startTransaction(TransactionalTestExecutionListener.java:507)
at org.springframework.test.context.transaction.TransactionalTestExecutionListener.startNewTransaction(TransactionalTestExecutionListener.java:269)
at org.springframework.test.context.transaction.TransactionalTestExecutionListener.beforeTestMethod(TransactionalTestExecutionListener.java:162)
at org.springframework.test.context.TestContextManager.beforeTestMethod(TestContextManager.java:374)
at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:73)
at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:82)
at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:72)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:240)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:180)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:49)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: javax.persistence.PersistenceException
at net.sf.jpasecurity.persistence.JpaExceptionFactory.createRuntimeException(JpaExceptionFactory.java:28)
at net.sf.jpasecurity.configuration.AbstractExceptionFactory.createRuntimeException(AbstractExceptionFactory.java:63)
at net.sf.jpasecurity.security.rules.AbstractAccessRulesProvider.compileRules(AbstractAccessRulesProvider.java:132)
at net.sf.jpasecurity.security.rules.XmlAccessRulesProvider.initializeAccessRules(XmlAccessRulesProvider.java:53)
at net.sf.jpasecurity.security.rules.AbstractAccessRulesProvider.getAccessRules(AbstractAccessRulesProvider.java:93)
at net.sf.jpasecurity.security.rules.DefaultAccessRulesProvider.getAccessRules(DefaultAccessRulesProvider.java:49)
at net.sf.jpasecurity.persistence.DefaultSecureEntityManager.<init>(DefaultSecureEntityManager.java:112)
at net.sf.jpasecurity.persistence.DefaultSecureEntityManager.<init>(DefaultSecureEntityManager.java:83)
at net.sf.jpasecurity.persistence.SecureEntityManagerFactory.createSecureEntityManager(SecureEntityManagerFactory.java:106)
at net.sf.jpasecurity.persistence.SecureEntityManagerFactory.createEntityManager(SecureEntityManagerFactory.java:83)
at org.springframework.orm.jpa.JpaTransactionManager.createEntityManagerForTransaction(JpaTransactionManager.java:400)
at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:321)
… 25 more
Caused by: net.sf.jpasecurity.jpql.parser.ParseException: Encountered " "EXISTS" "EXISTS "" at line 1, column 51.
Was expecting one of:
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
    "(" …
   
at net.sf.jpasecurity.jpql.parser.JpqlParser.generateParseException(JpqlParser.java:11458)
at net.sf.jpasecurity.jpql.parser.JpqlParser.jj_consume_token(JpqlParser.java:11337)
at net.sf.jpasecurity.jpql.parser.JpqlParser.conditionalPrimary(JpqlParser.java:2412)
at net.sf.jpasecurity.jpql.parser.JpqlParser.conditionalFactor(JpqlParser.java:2392)
at net.sf.jpasecurity.jpql.parser.JpqlParser.conditionalTerm(JpqlParser.java:2254)
at net.sf.jpasecurity.jpql.parser.JpqlParser.conditionalExpression(JpqlParser.java:2216)
at net.sf.jpasecurity.jpql.parser.JpqlParser.whereClause(JpqlParser.java:1999)
at net.sf.jpasecurity.jpql.parser.JpqlParser.jpqlAccessRule(JpqlParser.java:153)
at net.sf.jpasecurity.jpql.parser.JpqlParser.parseRule(JpqlParser.java:19)
at net.sf.jpasecurity.security.rules.AbstractAccessRulesProvider.compileRules(AbstractAccessRulesProvider.java:127)
… 34 more

When I change the query as below it does not fail:

<access-rule>GRANT                    ACCESS TO Client c.id IN (SELECT c.id FROM Client c INNER JOIN c.staffing cs WHERE cs.employee.email = CURRENT_PRICIPAL AND cs.endDate IS NULL AND (c.currentStatus.name &lt;&gt; 'Closed' OR c.currentStatus.name IS NULL)</access-rule>

However access is still granted to anybody to READ as the log trace shows:

2011-06-11 12:37:20,704 DEBUG  - 0:0:0:0:0:0:0:1%0 A28E7CE5FA7A8540544DDB43C4674E4A Filtering query SELECT c FROM Client c LEFT JOIN c.structure s WHERE c.group.id = :groupId and s.name like '%Master%' ORDER BY c.name
2011-06-11 12:37:20,709 DEBUG  - 0:0:0:0:0:0:0:1%0 A28E7CE5FA7A8540544DDB43C4674E4A Using access rules net.sf.jpasecurity.security.EntityFilter$AccessDefinition@4e246c18
2011-06-11 12:37:20,710 DEBUG  - 0:0:0:0:0:0:0:1%0 A28E7CE5FA7A8540544DDB43C4674E4A Access rules are always true for current user and roles. Returning unfiltered query

[Nestor Urquiza]

And this is a @NamedQuery and not a CriteriaBulder type of query (which we already know jpasecurity is still not supporting) so security should be applied to it.

[Arne Limburg]

Note my typo, that you copy-pasted: It must be CURRENT_PRINCIPAL and not CURRENT_PRICIPAL. I am sure, the EXISTS query will work. However, I hat that same strange exception that you have recently when fixing the SUBSELECT for Annotations. I hat a typo there, too. Would you please check, if the problem is gone when you fix the typo?

[Arne Limburg]

Is it OK when I add your entities to our test-suite? Then I would make unit-tests of my own and it is easier to work on this issues together.

[Nestor Urquiza]

Even with the typo corrected it still allows any user to list the entity. Just to give you a little more detail. I commented out the rule as you see below:

    <access-rule>GRANT                    ACCESS TO Client c WHERE 'ROLE_ADMIN' IN (CURRENT_ROLES)</access-rule>
<!--    <access-rule>GRANT                    ACCESS TO Client c.id IN (SELECT c.id FROM Client c INNER JOIN c.staffing cs WHERE cs.employee.email = CURRENT_PRINCIPAL AND cs.endDate IS NULL AND (c.currentStatus.name &lt;&gt; 'Closed' OR c.currentStatus.name IS NULL)</access-rule> -->

Then I get the correct Exception:

Data access failure: The current user is not permitted to find the specified entity of type class com.nestorurquiza.model.Client
java.lang.SecurityException: The current user is not permitted to find the specified entity of type class com.nestorurquiza.model.Client at net.sf.jpasecurity.persistence.DefaultSecureEntityManager.find(DefaultSecureEntityManager.java:141) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.orm.jpa.ExtendedEntityManagerCreator$ExtendedEntityManagerInvocationHandler.invoke(ExtendedEntityManagerCreator.java:365) at $Proxy1187.find(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:240) at $Proxy1086.find(Unknown Source) at com.nestorurquiza.dao.GenericEntityDaoImpl.find(GenericEntityDaoImpl.java:210) at com.nestorurquiza.service.impl.GenericEntityCrudServiceImpl.find(GenericEntityCrudServiceImpl.java:32) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196) at $Proxy1097.find(Unknown Source) at com.nestorurquiza.web.ClientController.edit(ClientController.java:242) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:427) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:415) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:788) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:717) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:113) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.nestorurquiza.web.filter.ForcePasswordChangeFilter.doFilter(ForcePasswordChangeFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.nestorurquiza.web.filter.XssFilter.doFilter(XssFilter.java:19) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:366) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:112) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at com.nestorurquiza.web.filter.CustomRememberMeFilter.doFilter(CustomRememberMeFilter.java:35) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at fr.xebia.servlet.filter.ExpiresFilter.doFilter(ExpiresFilter.java:1243) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.nestorurquiza.web.filter.LoggingFilter.doFilter(LoggingFilter.java:38) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:680)

And yes you can add my entities. The only thing I would ask you is just to include certain fieds, those that are really needed for the unit test. That way our business model is not exposed to the wild.

Thanks!
-Nestor

[Arne Limburg]

I have added a fix for the JTA-EntityManager problem.

But anyway we should get the EXISTS-query to work since your current query will lead to a database select on every access check. Additionally the check will faill, when the EntityManager is closed.

[Nestor Urquiza]

EXISTS still does not work. I guess that is what you are saying right? Then IN while does not throws the parse exception results in a security exception even for a user that should be allowed. Here is the rule:

        <access-rule>GRANT                    ACCESS TO Client client WHERE IN (SELECT c FROM client c INNER JOIN c.staffing cs WHERE cs.employee.email = CURRENT_PRINCIPAL AND cs.endDate IS NULL AND (c.currentStatus.name &lt;&gt; 'Closed' OR c.currentStatus.name IS NULL)</access-rule>

Here is mysql code returning a record:

mysql> select distinct e.email, cs.end_date, c.name, c.id, cst.name  from employee e inner join client_staffing cs on cs.employee_id=e.id inner join client c on c.id=cs.client_id  inner join client_status cst on c.current_status_id=cst.id AND ( cst.name != 'Closed' or cst.name IS NULL) where email='testmanager@nestorurquiza.com' order by c.name;
+----------------------+----------+-------------------------------+----+-------------+
| email                | end_date | name                          | id | name        |
+----------------------+----------+-------------------------------+----+-------------+
| testmanager@nestorurquiza.com | NULL     | My Client |  2 | Live (Open) |
+----------------------+----------+-------------------------------+----+-------------+
1 row in set (0.00 sec)

Here is the exception:

java.lang.SecurityException: The current user is not permitted to find the specified entity of type class com.krfs.model.Client_$$_javassist_66 at net.sf.jpasecurity.persistence.DefaultSecureEntityManager.find(DefaultSecureEntityManager.java:147) at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.orm.jpa.ExtendedEntityManagerCreator$ExtendedEntityManagerInvocationHandler.invoke(ExtendedEntityManagerCreator.java:365) at $Proxy1520.find(Unknown Source) at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:240) at $Proxy1419.find(Unknown Source) at com.krfs.dao.GenericEntityDaoImpl.find(GenericEntityDaoImpl.java:210) at com.krfs.service.impl.GenericEntityCrudServiceImpl.find(GenericEntityCrudServiceImpl.java:32) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196) at $Proxy1430.find(Unknown Source) at com.krfs.web.ClientOperatingDetailsController.show(ClientOperatingDetailsController.java:59) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:427) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:415) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:788) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:717) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:113) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.krfs.web.filter.ForcePasswordChangeFilter.doFilter(ForcePasswordChangeFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.krfs.web.filter.XssFilter.doFilter(XssFilter.java:19) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:366) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at com.krfs.web.filter.CustomRememberMeFilter.doFilter(CustomRememberMeFilter.java:35) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at fr.xebia.servlet.filter.ExpiresFilter.doFilter(ExpiresFilter.java:1243) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.krfs.web.filter.LoggingFilter.doFilter(LoggingFilter.java:38) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:680)

[Arne Limburg]

I have improved the logging for EntityFilter
Could you please update trunk and then provide the debug logging of net.sf.jpasecurity.security.EntityFilter in this case.

Thanks in advance,
Arne

[Nestor Urquiza]

2011-06-12 15:43:47,899 INFO [com.nu.web.filter.LoggingFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 /nu-app/client/2/edit?&ctoken=46007252644292584939088169399011310475 0:0:0:0:0:0:0:1%0
2011-06-12 15:43:47,900 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@2f5895b3: Authentication: org.springframework.security.authentication.RememberMeAuthenticationToken@2f5895b3: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2864bdf6: Dn: cn=testManager@nu.com,ou=people,o=nu; Username: testmanager@nu.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_MANAGER, ROLE_12121416_nu REVIEWER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de60: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 160F7CA9E01317842B2AE4AAD72F3F70; Granted Authorities: ROLE_MANAGER, ROLE_12121416_nu REVIEWER'
2011-06-12 15:43:47,950 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientAdministrator t ORDER BY t.name
2011-06-12 15:43:47,951 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,002 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientInvestmentMethod t ORDER BY t.name
2011-06-12 15:43:48,003 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,020 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientLaunchType t ORDER BY t.name
2011-06-12 15:43:48,020 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,032 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientStatus t ORDER BY t.name
2011-06-12 15:43:48,032 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,045 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientStrategy t ORDER BY t.name
2011-06-12 15:43:48,046 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,065 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientType t ORDER BY t.name
2011-06-12 15:43:48,066 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,083 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from InstrumentTraded t ORDER BY t.name
2011-06-12 15:43:48,084 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,108 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from Exchange t ORDER BY t.name
2011-06-12 15:43:48,109 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,120 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientGroup t ORDER BY t.name
2011-06-12 15:43:48,120 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,151 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientStructure t ORDER BY t.name
2011-06-12 15:43:48,152 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,169 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from ClientServiceAgreementType t ORDER BY t.name
2011-06-12 15:43:48,169 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,182 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 Filtering query Select t from Office t ORDER BY t.name
2011-06-12 15:43:48,182 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 No access rules defined for selected type. Returning unfiltered query
2011-06-12 15:43:48,224 ERROR [com.nu.web.handler.CustomSimpleMappingExceptionResolver] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70
java.lang.SecurityException: The current user is not permitted to find the specified entity of type class com.nu.model.Client
at net.sf.jpasecurity.persistence.DefaultSecureEntityManager.find(DefaultSecureEntityManager.java:147)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.orm.jpa.ExtendedEntityManagerCreator$ExtendedEntityManagerInvocationHandler.invoke(ExtendedEntityManagerCreator.java:365)
at $Proxy515.find(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:240)
at $Proxy414.find(Unknown Source)
at com.nu.dao.GenericEntityDaoImpl.find(GenericEntityDaoImpl.java:210)
at com.nu.service.impl.GenericEntityCrudServiceImpl.find(GenericEntityCrudServiceImpl.java:32)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196)
at $Proxy425.find(Unknown Source)
at com.nu.web.ClientController.edit(ClientController.java:242)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:427)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:415)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:788)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:717)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:113)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.nu.web.filter.ForcePasswordChangeFilter.doFilter(ForcePasswordChangeFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.nu.web.filter.XssFilter.doFilter(XssFilter.java:19)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:366)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at com.nu.web.filter.CustomRememberMeFilter.doFilter(CustomRememberMeFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at fr.xebia.servlet.filter.ExpiresFilter.doFilter(ExpiresFilter.java:1243)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.nu.web.filter.LoggingFilter.doFilter(LoggingFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:680)
2011-06-12 15:43:48,708 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - 0:0:0:0:0:0:0:1%0 160F7CA9E01317842B2AE4AAD72F3F70 SecurityContextHolder now cleared, as request processing completed

[Arne Limburg]

OK, as I see from the log it is no query that causes this exception, but it is a call to EntityManager.find(…). For this case I need some more logging, which I added meanwhile to EntityFilter. Could you please post this additional logging, too.
Btw. you only need to post the three or four statements before the exceptoin ;-)

[Nestor Urquiza]

2011-06-12 19:14:31,629 INFO [com.nu.web.filter.LoggingFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 /nu-app/client/2/edit?&ctoken=46007252644292584939088169399011310475 0:0:0:0:0:0:0:1%0
2011-06-12 19:14:31,630 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@2f594bd3: Authentication: org.springframework.security.authentication.RememberMeAuthenticationToken@2f594bd3: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2864bdf6: Dn: cn=testManager@nu.com,ou=people,o=nu; Username: testmanager@nu.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_MANAGER, ROLE_12121416_nu REVIEWER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 9384AFE177768DE11AC2FA3F6E7AD269; Granted Authorities: ROLE_MANAGER, ROLE_12121416_nu REVIEWER'
2011-06-12 19:14:31,665 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientAdministrator t ORDER BY t.name
2011-06-12 19:14:31,676 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,739 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientInvestmentMethod t ORDER BY t.name
2011-06-12 19:14:31,740 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,753 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientLaunchType t ORDER BY t.name
2011-06-12 19:14:31,753 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,765 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientStatus t ORDER BY t.name
2011-06-12 19:14:31,765 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,780 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientStrategy t ORDER BY t.name
2011-06-12 19:14:31,780 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,797 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientType t ORDER BY t.name
2011-06-12 19:14:31,797 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,810 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from InstrumentTraded t ORDER BY t.name
2011-06-12 19:14:31,811 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,835 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from Exchange t ORDER BY t.name
2011-06-12 19:14:31,836 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,853 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientGroup t ORDER BY t.name
2011-06-12 19:14:31,853 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,881 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientStructure t ORDER BY t.name
2011-06-12 19:14:31,881 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,902 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from ClientServiceAgreementType t ORDER BY t.name
2011-06-12 19:14:31,902 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,914 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Filtering query Select t from Office t ORDER BY t.name
2011-06-12 19:14:31,915 INFO [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 No access rules defined for selected type. Returning unfiltered query
2011-06-12 19:14:31,952 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Evaluating READ access for entity of type Client
2011-06-12 19:14:31,958 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Using access definition [query="((('ROLE_ADMIN' = :CURRENT_ROLES0 OR 'ROLE_ADMIN' = :CURRENT_ROLES1)))",parameters={CURRENT_PRINCIPAL=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2864bdf6: Dn: cn=testManager@nu.com,ou=people,o=nu; Username: testmanager@nu.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_MANAGER, ROLE_12121416_nu REVIEWER, CURRENT_ROLES0=ROLE_MANAGER, CURRENT_ROLES1=ROLE_12121416_nu REVIEWER}]
2011-06-12 19:14:31,959 ERROR [com.nu.web.handler.CustomSimpleMappingExceptionResolver] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269
java.lang.SecurityException: The current user is not permitted to find the specified entity of type class com.nu.model.Client

Thanks for the effort!

[Arne Limburg]

As you can see from the following output, your rule is not applied. Just the rule

GRANT ACCESS TO Client c WHERE 'ROLE_ADMIN' IN (CURRENT_ROLES)

is applied.

2011-06-12 19:14:31,958 DEBUG [net.sf.jpasecurity.security.EntityFilter] - 0:0:0:0:0:0:0:1%0 9384AFE177768DE11AC2FA3F6E7AD269 Using access definition [query="((('ROLE_ADMIN' = :CURRENT_ROLES0 OR 'ROLE_ADMIN' = :CURRENT_ROLES1)))",parameters={CURRENT_PRINCIPAL=org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2864bdf6: Dn: cn=testManager@nu.com,ou=people,o=nu; Username: testmanager@nu.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_MANAGER, ROLE_12121416_nu REVIEWER, CURRENT_ROLES0=ROLE_MANAGER, CURRENT_ROLES1=ROLE_12121416_nu REVIEWER}]

Are you sure, you did not comment out the rule?

The log shows an additional problem you might run into: Your user (provided by spring security) is of type LdapUserDetailsImpl. As I guess, the user in your JPA model is not of type LdapUserDetailsImpl (You use the email, as I saw, which is just a String, I guess). The comparision of LdapUserDetailsImpl and that String will always fail. You have to provide your own AuthenticationProvider implementation that extracts the email from the LdapUserDetailsImpl and returns it.

[Nestor Urquiza]

The rule is not commented out. I am taking a look at the other probelm now. Thanks for the heads up.