Retrieve Keycloak Roles in reactive Spring Gateway security - keycloak

I migrate from Zuul Gateway to Spring Gateway. This forced me to abandon Servlets for Webflux. I use KeyCloak and KeyCloak roles for authentication and authorization.
There is no official reactive KeyCloak implementation, so I use Spring OAuth2 instead. It works fine apart from retrieving the roles.
I cannot use servlet interceptors, because servlets are not allowed by WebFlux. Also, it seems Spring Gateway in general does not allow intercepting response bodies.
Thus my problem remains: How do I retrieve KeyCloak roles in Spring Gateway, so that they can be used by its security?
Here is some sample code I use:
In class SecurityConfig.java:
#Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.csrf().disable().authorizeExchange(exchanges -> exchanges.pathMatchers("/**").hasAnyRole("DIRECTOR")); }
application.yml:
spring.security.oauth2.client.provider.keycloak.issuer-uri: ..../realms/default


#Dave
Thank you for reminding me this question. I have since found a workaround in WebFlux. I have overriden ReactiveOAuth2UserService. By default it has two flavors a OAuth one and a Oidc one. In my case I have overriden the Oidc one:
#Component public class ReactiveKeycloakUserService extends OidcReactiveOAuth2UserService {
#Override
public Mono<OidcUser> loadUser(OidcUserRequest userRequest) throws ... {
// Call super and then replace result with roles
}
}
Spring will inject my instance instead of the default one. From userRequest you can retrieve the roles and after calling the same method on superclass you can intercept the result and add the roles on it.


I am having the same problem myself. One of the problems I am getting its getting copies of things like the JWT tag i.e. the text that Keycloak has encode you settings
#GetMapping("/whoami")
#ResponseBody
public Map<String, Object> index(
#RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
Authentication auth) {
log.error("XXAuth is {}",auth);
log.error("XXClient is {}", authorizedClient.getClientRegistration());
log.error("XXClient access is {}", authorizedClient.getAccessToken());
log.error("Token {}",authorizedClient.getAccessToken().getTokenValue());
}
This code will get you some of the values that are part of the conversation, the Token part is the JWT token, you can copy and paste that into jwt.io and find out what what Keycloak has actually sent.
This normally looks like
{
"exp": 1622299931,
"iat": 1622298731,
"auth_time": 1622298258,
"jti": "635ca59f-c87b-40da-b4ae-39774ed8098a",
"iss": "http://clunk:8080/auth/realms/spring-cloud-gateway-realm",
"sub": "6de0d95f-95b0-419d-87a4-b2862e8d0763",
"typ": "Bearer",
"azp": "spring-cloud-gateway-client",
"nonce": "2V8_3siQjTOIRbfs68BHwzvz3-dWeqXGUultzhJUWrA",
"session_state": "dd226823-90bc-429e-9cac-bb575b7d4fa0",
"acr": "0",
"realm_access": {
"roles": [
"ROLE_ANYONE"
]
},
"resource_access": {
"spring-cloud-gateway-client": {
"roles": [
"ROLE_ADMIN_CLIENT"
]
}
},
"scope": "openid email profile roles",
"email_verified": true,
"preferred_username": "anon"
}
As you can see Keycloak supports two different types of ROLE tokens, but they are not defined in top level, but under realm_access and resource_access, the difference being resource access defines ROLE that are part of a resource and real_access defines roles that are defined across all realms.
To get these values defined, its necessary to define a Mapper, as follows
To load these values in to Spring security you need to define a userAuthoritiesMapper Bean and export the settings found in the attributes as SimpleGrantedAuthority, as follows.
package foo.bar.com;
import lombok.extern.slf4j.Slf4j;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import java.util.stream.Collectors;
#Slf4j
#EnableWebFluxSecurity
#EnableReactiveMethodSecurity
public class RoleConfig {
#Bean
GrantedAuthoritiesMapper userAuthoritiesMapper() {
String ROLES_CLAIM = "roles";
return authorities -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
for (Object authority : authorities) {
boolean isOidc = authority instanceof OidcUserAuthority;
if (isOidc) {
log.error("Discovered an Oidc type of object");
var oidcUserAuthority = (OidcUserAuthority) authority;
java.util.Map<String, Object> attribMap = oidcUserAuthority.getAttributes();
JSONObject jsonClaim;
for (String attrib : attribMap.keySet()) {
log.error("Attribute name {} type {} ", attrib, attrib.getClass().getName());
Object claim = attribMap.get(attrib);
if (attrib.equals("realm_access")) {
log.error("Define on roles for entire client");
jsonClaim = (JSONObject) claim;
if (!jsonClaim.isEmpty()) {
log.error("JobClaim is {}", jsonClaim);
Object roleStr = jsonClaim.get("roles");
if (roleStr != null) {
log.error("Role String {}", roleStr.getClass().getName());
JSONArray theRoles = (JSONArray) roleStr; //jsonClaim.get("roles");
for (Object roleName : theRoles) {
log.error("Name {} ", roleName);
}
}
}
}
if (attrib.equals("resource_access")) {
log.error("Unique to attrib client");
jsonClaim = (JSONObject) claim;
if (!jsonClaim.isEmpty()) {
log.error("Job is {}", jsonClaim);
String clientName = jsonClaim.keySet().iterator().next();
log.error("Client name {}", clientName);
JSONObject roleObj = (JSONObject) jsonClaim.get(clientName);
Object roleNames = roleObj.get("roles");
log.error("Role names {}", roleNames.getClass().getName());
JSONArray theRoles = (JSONArray) roleObj.get("roles");
for (Object roleName : theRoles) {
log.error("Name {} ", roleName);
}
}
}
}
var userInfo = oidcUserAuthority.getUserInfo();
log.error("UserInfo {}", userInfo);
for (String key : userInfo.getClaims().keySet()) {
log.error("UserInfo keys {}", key);
}
if (userInfo.containsClaim(ROLES_CLAIM)) {
var roles = userInfo.getClaimAsStringList(ROLES_CLAIM);
mappedAuthorities.addAll(generateAuthoritiesFromClaim(roles));
} else {
log.error("userInfo DID NOT FIND A claim");
}
} else {
var oauth2UserAuthority = (SimpleGrantedAuthority) authority;
log.error("Authority name " + authority.getClass().getName());
}
}
return mappedAuthorities;
};
}
private Collection<GrantedAuthority> generateAuthoritiesFromClaim(Collection<String> roles) {
return roles.stream()
.map(role -> new SimpleGrantedAuthority("ROLE_" + role))
.collect(Collectors.toList());
}
}
Please note this code is based on a sample found at OAuth2 Login with custom granted authorities from UserInfo
The access to Attributes is my own work.
Note an error message will be generated at the highest level if no realm_access or resource_access is found, as I assume that wanting to decode a Keycloak reference is the reason for using this code.
When working correctly, it generates the following output
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Discovered an Oidc type of object
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name at_hash type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name sub type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name resource_access type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Unique to attrib client
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Job is {"spring-cloud-gateway-client":{"roles":["ROLE_ADMIN_CLIENT"]}}
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Client name spring-cloud-gateway-client
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Role names net.minidev.json.JSONArray
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Name ROLE_ADMIN_CLIENT
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name email_verified type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name iss type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name typ type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name preferred_username type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name nonce type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name aud type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name acr type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name realm_access type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Define on roles for entire client
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : JobClaim is {"roles":["ROLE_ANYONE"]}
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Role String net.minidev.json.JSONArray
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Name ROLE_ANYONE
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name azp type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name auth_time type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name exp type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name session_state type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name iat type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name jti type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo org.springframework.security.oauth2.core.oidc.OidcUserInfo#8be9a0b8
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo keys sub
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo keys email_verified
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo keys preferred_username
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : userInfo DID NOT FIND A claim
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 DEBUG 7394 --- [or-http-epoll-5] o.s.w.r.f.client.ExchangeFunctions : [34ff3355] Cancel signal (to close connection)
2021-05-29 15:32:11.252 DEBUG 7394 --- [or-http-epoll-5] o.s.w.r.f.client.ExchangeFunctions : [1b083d68] Cancel signal (to close connection)
2021-05-29 15:32:11.254 DEBUG 7394 --- [or-http-epoll-5] ebSessionServerSecurityContextRepository : Saved SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [anon], Granted Authorities: [[ROLE_USER, SCOPE_email, SCOPE_openid, SCOPE_profile, SCOPE_roles]], User Attributes: [{at_hash=GCz2JybWiLc-42ACnjLJ6w, sub=6de0d95f-95b0-419d-87a4-b2862e8d0763, resource_access={"spring-cloud-gateway-client":{"roles":["ROLE_ADMIN_CLIENT"]}}, email_verified=true, iss=http://clunk:8080/auth/realms/spring-cloud-gateway-realm, typ=ID, preferred_username=anon, nonce=2V8_3siQjTOIRbfs68BHwzvz3-dWeqXGUultzhJUWrA, aud=[spring-cloud-gateway-client], acr=0, realm_access={"roles":["ROLE_ANYONE"]}, azp=spring-cloud-gateway-client, auth_time=2021-05-29T14:24:18Z, exp=2021-05-29T14:52:11Z, session_state=dd226823-90bc-429e-9cac-bb575b7d4fa0, iat=2021-05-29T14:32:11Z, jti=7d479a85-d76e-4930-9c86-b384a56d7af5}], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession#69c3d462'

Related

Hibernate not updating schema automatically

I am using SpringBoot with Hibernate. I have 2 Postgres datasources. I have an existing database (pims) and a new database (powwow), and some entities. When I start up SpringBoot, I would like it to automatically create the tables in the new powwow database, however it is not doing so.
application.properties
# pims datasource
spring.datasource1.driver-class-name=org.postgresql.Driver
spring.datasource1.jdbc-url=jdbc:postgresql://localhost:5432/pims
spring.datasource1.username=postgres
spring.datasource1.password=postgres
# powwow datasource
spring.datasource2.driver-class-name=org.postgresql.Driver
spring.datasource2.jdbc-url=jdbc:postgresql://localhost:5432/powwow
spring.datasource2.username=postgres
spring.datasource2.password=postgres
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.database-platform=postgres
spring.jpa.hibernate.ddl-auto=update
#spring.jpa.properties.hibernate.hbm2ddl.auto=update
#spring.jpa.generate-ddl=true
#spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
spring.datasource2.dbcp2.test-while-idle=true
spring.datasource2.dbcp2.validation-query=select 1
spring.jpa.hibernate.naming.implicit-strategy=org.hibernate.boot.model.naming.ImplicitNamingStrategyLegacyHbmImpl
spring.jpa.hibernate.naming.physical-strategy=org.springframework.boot.orm.jpa.hibernate.SpringPhysicalNamingStrategy
# logging
logging.level.org.hibernate.SQL=DEBUG
logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE
Example entity:
PowWowActivityEntity.java
#Entity
#Table(name = "powwowactivity")
public class PowWowActivityEntity {
#Id
#Column(name = "activity_id")
#GeneratedValue(strategy = GenerationType.IDENTITY)
private Long activity_id;
#Column(name = "status")
private String status;
Output
2022-08-16 09:19:13.227 INFO 65945 --- [ main] com.clubtravel.powwow.PowWowApplication : Started PowWowApplication in 11.544 seconds (JVM running for 12.617)
2022-08-16 09:19:13.255 DEBUG 65945 --- [ scheduling-1] org.hibernate.SQL : select count(*) as col_0_0_ from powwowglaccountmapping powwowglac0_
2022-08-16 09:19:13.269 DEBUG 65945 --- [ Async-1] org.hibernate.SQL : insert into powwowactivity (comment, create_date, status, user_name) values (?, ?, ?, ?)
2022-08-16 09:19:13.272 TRACE 65945 --- [ Async-1] o.h.type.descriptor.sql.BasicBinder : binding parameter [1] as [VARCHAR] - [Server started on HOST: Richards-MacBook-Pro.local.]
2022-08-16 09:19:13.273 TRACE 65945 --- [ Async-1] o.h.type.descriptor.sql.BasicBinder : binding parameter [2] as [TIMESTAMP] - [Tue Aug 16 09:19:13 SAST 2022]
2022-08-16 09:19:13.274 TRACE 65945 --- [ Async-1] o.h.type.descriptor.sql.BasicBinder : binding parameter [3] as [VARCHAR] - [Info]
2022-08-16 09:19:13.274 TRACE 65945 --- [ Async-1] o.h.type.descriptor.sql.BasicBinder : binding parameter [4] as [VARCHAR] - [system]
2022-08-16 09:19:13.281 WARN 65945 --- [ Async-1] o.h.engine.jdbc.spi.SqlExceptionHelper : SQL Error: 0, SQLState: 42P01
2022-08-16 09:19:13.281 ERROR 65945 --- [ Async-1] o.h.engine.jdbc.spi.SqlExceptionHelper : ERROR: relation "powwowactivity" does not exist
Question
I thought by adding the following line, the new tables would automatically be created by updating the schema. Any ideas? Is this not working because I have more than one datasource?
spring.jpa.hibernate.ddl-auto=update

The reason it was not working is because i have 2 datasources defined. If i change the config to update, it works (properties.put("hibernate.hbm2ddl.auto", "update");):
#Bean(name = "powwowEntityManager")
#Primary
public LocalContainerEntityManagerFactoryBean powwowEntityManager() {
LocalContainerEntityManagerFactoryBean em = new LocalContainerEntityManagerFactoryBean();
em.setDataSource(powwowDataSource());
em.setPackagesToScan(new String[] { "com.clubtravel.powwow.entities.powwow" });
HibernateJpaVendorAdapter vendorAdapter = new HibernateJpaVendorAdapter();
em.setJpaVendorAdapter(vendorAdapter);
HashMap<String, Object> properties = new HashMap<>();
// properties.put("hibernate.hbm2ddl.auto",env.getProperty("hibernate.hbm2ddl.auto"));
// properties.put("hibernate.dialect",env.getProperty("hibernate.dialect"));
properties.put("hibernate.hbm2ddl.auto", "update");
properties.put("hibernate.dialect", "org.hibernate.dialect.PostgreSQLDialect");
em.setJpaPropertyMap(properties);
logger.info("Setting spring.datasource2 (powwowEntityManager) hibernate.hbm2ddl.auto = "+env.getProperty("hibernate.hbm2ddl.auto")+" and hibernate.dialect = "+env.getProperty("hibernate.dialect"));
return em;
}

Spring Cloud config client not picking values from Config server

My Config client is not picking the property values from config
server.
http://localhost:8888/customer_service/default
Above Config server endpoint is returning proper values for Config client,
{
"name": "customer_service",
"profiles": [
"default"
],
"label": null,
"version": "c7648db5662dc65aeaad9c91abbf58b41010be7c",
"state": null,
"propertySources": [
{
"name": "https://github.com/prasadrpm/MicroService_config.git/customer_service.properties",
"source": {
"customer.config.location": "XXXX",
"customer.config.name": "YYYY"
}
}
]
}
Config client bootstrap.properties
server.port=8080
spring.application.name=customer_service
spring.cloud.config.enabled=true
spring.cloud.config.name=config_server
spring.cloud.config.uri=http://localhost:8888
Config client Log
2020-04-10 16:47:00.725 INFO 14976 --- [ main] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at : http://localhost:8888
2020-04-10 16:47:03.267 INFO 14976 --- [ main] c.c.c.ConfigServicePropertySourceLocator : Located environment: name=config_server, profiles=[default], label=null, version=c7648db5662dc65aeaad9c91abbf58b41010be7c, state=null
2020-04-10 16:47:03.269 INFO 14976 --- [ main] b.c.PropertySourceBootstrapConfiguration : Located property source: [BootstrapPropertySource {name='bootstrapProperties-configClient'}]
2020-04-10 16:47:03.280 INFO 14976 --- [ main] com.customer.CustomerServiceApplication : No active profile set, falling back to default profiles: default
...
2020-04-10 16:47:05.164 INFO 14976 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 1860 ms
2020-04-10 16:47:05.549 WARN 14976 --- [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'customerController': Injection of autowired dependencies failed; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'customer.config.location' in value "${customer.config.location}"
2020-04-10 16:47:05.552 INFO 14976 --- [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2020-04-10 16:47:05.577 INFO 14976 --- [ main] ConditionEvaluationReportLoggingListener :
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2020-04-10 16:47:05.595 ERROR 14976 --- [ main] o.s.boot.SpringApplication : Application run failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'customerController': Injection of autowired dependencies failed; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'customer.config.location' in value "${customer.config.location}"
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:405) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1422) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:594) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:517) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:323) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:321) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]

The URL that returns you correct properties/configuration is: localhost:8888/customer_service/default
Client application is querying for properties based on following data:
c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at : http://localhost:8888
c.c.c.ConfigServicePropertySourceLocator : Located environment: name=config_server, profiles=[default], label=null, version=c7648db5662dc65aeaad9c91abbf58b41010be7c, state=null
b.c.PropertySourceBootstrapConfiguration : Located property source: [BootstrapPropertySource {name='bootstrapProperties-configClient'}]
com.customer.CustomerServiceApplication : No active profile set, falling back to default profiles: default
...
So, effectively, client application is calling:
localhost:8888/config_server/default
So, there are two solutions:
delete spring.cloud.config.name=config_server property in bootstrap.properties, and your application should be able to fetch properties.
update value of spring.cloud.config.name to customer_service service. But if you do not provide spring.cloud.config.name explicitly, then client will use spring.application.name as the default value for spring.cloud.config.name.

What annotation you had used here?
It can be easily retrieved like this.
#Value("${customer.config.location}")
private String someOtherProperty;
and it is not needed
spring.cloud.config.name=config_server

Secured controller returns 403 one one action but not on another in Grails app

I have a controller in my app as follows:
#Secured(UserRoles.ROLE_USER)
class ProjectController implements BaseController, SpringSecurityAware {
ProjectService projectService
def create(ProjectCommand command) {
...
}
def update(ProjectCommand command) {
Long projectId = params.id
...
}
}
And it mapped as follows:
post "/v1/api/project" (controller: "project", action: "create")
put "/v1/api/project/$id" {
controller = "project"
action = "update"
constraints {
id(matches:/\\\d+/)
}
}
I am using spring security rest with a custom token storage. The authentication mechanism works properly, as it's been tested and run for a while already.
When I am sending the post request to create the project, everything works fine.
However, if I am trying to update the project I am getting 403 without even getting into the action method.
My request looks like this:
PUT /v1/api/project/12 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9....0qS2PUw8PQ
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cookie: JSESSIONID=61F4874A906D706062C0209CEBF2AC3E
Host: localhost:8080
Connection: close
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.5) GCDHTTPRequest
Content-Length: 77
title=Project+Update&background=Background&problemStatement=Problem+Statement
Notes:
UserRoles.ROLE_USER is a simple string
If I am debugging the request, the resolved user does have the expected authorities
What am I missing?
I suspect that there is something wrong with UrlMapping
UPDATE
Here is the debug log... It does not make much sense to me. It seems like it authenticated properly, but at the very end, the role was not allowed, even though it was the correct role.
2018-07-03 01:14:59.665 DEBUG --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/v1/api/project/12'; against '/v1/login'
2018-07-03 01:14:59.665 DEBUG --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/v1/api/project/12'; against '/v1/api/**'
2018-07-03 01:14:59.667 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 1 of 7 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter'
2018-07-03 01:14:59.674 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 2 of 7 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2018-07-03 01:14:59.675 DEBUG --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/v1/api/project/12'; against '/logoff'
2018-07-03 01:14:59.675 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 3 of 7 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
2018-07-03 01:14:59.675 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestAuthenticationFilter : Actual URI is /v1/api/project/12; endpoint URL is /api/login
2018-07-03 01:14:59.675 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 4 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-07-03 01:14:59.681 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 5 of 7 in additional filter chain; firing Filter: 'RestTokenValidationFilter'
2018-07-03 01:14:59.690 DEBUG --- [nio-8080-exec-4] g.p.s.r.token.bearer.BearerTokenReader : Looking for bearer token in Authorization header, query string or Form-Encoded body parameter
2018-07-03 01:14:59.690 DEBUG --- [nio-8080-exec-4] g.p.s.r.token.bearer.BearerTokenReader : Found bearer token in Authorization header
2018-07-03 01:14:59.690 DEBUG --- [nio-8080-exec-4] g.p.s.r.token.bearer.BearerTokenReader : Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9.eyJpc3MiOiJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNjY0NzgyMTY3NjY0Mzk5ODE2MCIsImF1ZCI6WyJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9wcml6LWRldi5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTMwNjA1NjU5LCJleHAiOjE1MzA2MTI4NTksImF6cCI6ImtXcnJTT2Nsam1xM3dHTDB1SXR6ZVZ0ZjBMdzdidnlMIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.Oybu4Y4JKhWxuBBWST4f7bqge6AXxvx6wREkhU5OfA8WiR5vJ9Jd8NwjbsdfBss8A4ECjmsDTJb7yCT7nWlr0BAdimhcM6-hU_RtOEl8u_zxPnJrT4I58m_j2eWjoyGCa2snwnBwX1F49ls75bBeH_SEgd4pFanptfUCI2_UluqmvBnSuq_v5bGcB87k0OCcfXR_sZs8Cj_Llt-pgf8yYYisX8EBwfyTm6DeHcSgYPQedGY5zORuZ5T6jlpx3xJwc8J3MrXXUyTRvvZPy7mzyyd12Yfjmh2qrFZ_yFY9yaJVAMtZheLAT0GiamrRtLwL6AcQ-zdJqZJ6ik_4nLPw8g
2018-07-03 01:14:59.699 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestTokenValidationFilter : Token found: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9.eyJpc3MiOiJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNjY0NzgyMTY3NjY0Mzk5ODE2MCIsImF1ZCI6WyJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9wcml6LWRldi5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTMwNjA1NjU5LCJleHAiOjE1MzA2MTI4NTksImF6cCI6ImtXcnJTT2Nsam1xM3dHTDB1SXR6ZVZ0ZjBMdzdidnlMIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.Oybu4Y4JKhWxuBBWST4f7bqge6AXxvx6wREkhU5OfA8WiR5vJ9Jd8NwjbsdfBss8A4ECjmsDTJb7yCT7nWlr0BAdimhcM6-hU_RtOEl8u_zxPnJrT4I58m_j2eWjoyGCa2snwnBwX1F49ls75bBeH_SEgd4pFanptfUCI2_UluqmvBnSuq_v5bGcB87k0OCcfXR_sZs8Cj_Llt-pgf8yYYisX8EBwfyTm6DeHcSgYPQedGY5zORuZ5T6jlpx3xJwc8J3MrXXUyTRvvZPy7mzyyd12Yfjmh2qrFZ_yFY9yaJVAMtZheLAT0GiamrRtLwL6AcQ-zdJqZJ6ik_4nLPw8g
2018-07-03 01:14:59.699 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestTokenValidationFilter : Trying to authenticate the token
2018-07-03 01:14:59.699 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestAuthenticationProvider : Use JWT: false
2018-07-03 01:14:59.699 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestAuthenticationProvider : Trying to validate token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9.eyJpc3MiOiJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNjY0NzgyMTY3NjY0Mzk5ODE2MCIsImF1ZCI6WyJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9wcml6LWRldi5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTMwNjA1NjU5LCJleHAiOjE1MzA2MTI4NTksImF6cCI6ImtXcnJTT2Nsam1xM3dHTDB1SXR6ZVZ0ZjBMdzdidnlMIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.Oybu4Y4JKhWxuBBWST4f7bqge6AXxvx6wREkhU5OfA8WiR5vJ9Jd8NwjbsdfBss8A4ECjmsDTJb7yCT7nWlr0BAdimhcM6-hU_RtOEl8u_zxPnJrT4I58m_j2eWjoyGCa2snwnBwX1F49ls75bBeH_SEgd4pFanptfUCI2_UluqmvBnSuq_v5bGcB87k0OCcfXR_sZs8Cj_Llt-pgf8yYYisX8EBwfyTm6DeHcSgYPQedGY5zORuZ5T6jlpx3xJwc8J3MrXXUyTRvvZPy7mzyyd12Yfjmh2qrFZ_yFY9yaJVAMtZheLAT0GiamrRtLwL6AcQ-zdJqZJ6ik_4nLPw8g
2018-07-03 01:14:59.873 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestAuthenticationProvider : Authentication result: grails.plugin.springsecurity.rest.token.AccessToken(accessToken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9.eyJpc3MiOiJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNjY0NzgyMTY3NjY0Mzk5ODE2MCIsImF1ZCI6WyJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9wcml6LWRldi5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTMwNjA1NjU5LCJleHAiOjE1MzA2MTI4NTksImF6cCI6ImtXcnJTT2Nsam1xM3dHTDB1SXR6ZVZ0ZjBMdzdidnlMIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.Oybu4Y4JKhWxuBBWST4f7bqge6AXxvx6wREkhU5OfA8WiR5vJ9Jd8NwjbsdfBss8A4ECjmsDTJb7yCT7nWlr0BAdimhcM6-hU_RtOEl8u_zxPnJrT4I58m_j2eWjoyGCa2snwnBwX1F49ls75bBeH_SEgd4pFanptfUCI2_UluqmvBnSuq_v5bGcB87k0OCcfXR_sZs8Cj_Llt-pgf8yYYisX8EBwfyTm6DeHcSgYPQedGY5zORuZ5T6jlpx3xJwc8J3MrXXUyTRvvZPy7mzyyd12Yfjmh2qrFZ_yFY9yaJVAMtZheLAT0GiamrRtLwL6AcQ-zdJqZJ6ik_4nLPw8g, accessTokenJwt:null, expiration:null, refreshToken:null, refreshTokenJwt:null, principal:grails.plugin.springsecurity.userdetails.GrailsUser#2dba1e: Username: alex; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER, super:grails.plugin.springsecurity.rest.token.AccessToken#4430b82e: Principal: grails.plugin.springsecurity.userdetails.GrailsUser#2dba1e: Username: alex; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER)
2018-07-03 01:14:59.873 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestTokenValidationFilter : Token authenticated. Storing the authentication result in the security context
2018-07-03 01:14:59.873 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestTokenValidationFilter : Authentication result: grails.plugin.springsecurity.rest.token.AccessToken(accessToken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9.eyJpc3MiOiJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNjY0NzgyMTY3NjY0Mzk5ODE2MCIsImF1ZCI6WyJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9wcml6LWRldi5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTMwNjA1NjU5LCJleHAiOjE1MzA2MTI4NTksImF6cCI6ImtXcnJTT2Nsam1xM3dHTDB1SXR6ZVZ0ZjBMdzdidnlMIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.Oybu4Y4JKhWxuBBWST4f7bqge6AXxvx6wREkhU5OfA8WiR5vJ9Jd8NwjbsdfBss8A4ECjmsDTJb7yCT7nWlr0BAdimhcM6-hU_RtOEl8u_zxPnJrT4I58m_j2eWjoyGCa2snwnBwX1F49ls75bBeH_SEgd4pFanptfUCI2_UluqmvBnSuq_v5bGcB87k0OCcfXR_sZs8Cj_Llt-pgf8yYYisX8EBwfyTm6DeHcSgYPQedGY5zORuZ5T6jlpx3xJwc8J3MrXXUyTRvvZPy7mzyyd12Yfjmh2qrFZ_yFY9yaJVAMtZheLAT0GiamrRtLwL6AcQ-zdJqZJ6ik_4nLPw8g, accessTokenJwt:null, expiration:null, refreshToken:null, refreshTokenJwt:null, principal:grails.plugin.springsecurity.userdetails.GrailsUser#2dba1e: Username: alex; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER, super:grails.plugin.springsecurity.rest.token.AccessToken#4430b82e: Principal: grails.plugin.springsecurity.userdetails.GrailsUser#2dba1e: Username: alex; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER)
2018-07-03 01:14:59.873 DEBUG --- [nio-8080-exec-4] g.p.s.rest.RestTokenValidationFilter : Continuing the filter chain
2018-07-03 01:14:59.878 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-07-03 01:14:59.878 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /v1/api/project/12 at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-07-03 01:14:59.977 DEBUG --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /v1/api/project/12; Attributes: [_DENY_]
2018-07-03 01:14:59.978 DEBUG --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: grails.plugin.springsecurity.rest.token.AccessToken(accessToken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1qTTFPRGxETjBWR1FUQXlOa00wUkRoR056TkZSRGs1TlRFME1VVXlRa0ZDT0VFelJUazBRdyJ9.eyJpc3MiOiJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNjY0NzgyMTY3NjY0Mzk5ODE2MCIsImF1ZCI6WyJodHRwczovL3ByaXotZGV2LmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9wcml6LWRldi5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTMwNjA1NjU5LCJleHAiOjE1MzA2MTI4NTksImF6cCI6ImtXcnJTT2Nsam1xM3dHTDB1SXR6ZVZ0ZjBMdzdidnlMIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.Oybu4Y4JKhWxuBBWST4f7bqge6AXxvx6wREkhU5OfA8WiR5vJ9Jd8NwjbsdfBss8A4ECjmsDTJb7yCT7nWlr0BAdimhcM6-hU_RtOEl8u_zxPnJrT4I58m_j2eWjoyGCa2snwnBwX1F49ls75bBeH_SEgd4pFanptfUCI2_UluqmvBnSuq_v5bGcB87k0OCcfXR_sZs8Cj_Llt-pgf8yYYisX8EBwfyTm6DeHcSgYPQedGY5zORuZ5T6jlpx3xJwc8J3MrXXUyTRvvZPy7mzyyd12Yfjmh2qrFZ_yFY9yaJVAMtZheLAT0GiamrRtLwL6AcQ-zdJqZJ6ik_4nLPw8g, accessTokenJwt:null, expiration:null, refreshToken:null, refreshTokenJwt:null, principal:grails.plugin.springsecurity.userdetails.GrailsUser#2dba1e: Username: alex; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER, super:grails.plugin.springsecurity.rest.token.AccessToken#4430b82e: Principal: grails.plugin.springsecurity.userdetails.GrailsUser#2dba1e: Username: alex; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER)
2018-07-03 01:14:59.979 DEBUG --- [nio-8080-exec-4] o.s.s.a.h.RoleHierarchyImpl : getReachableGrantedAuthorities() - From the roles [ROLE_USER] one can reach [ROLE_USER] in zero or more steps.
2018-07-03 01:14:59.997 DEBUG --- [nio-8080-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)
at grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager.decide(AuthenticatedVetoableDecisionManager.groovy:50)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at javax.servlet.FilterChain$doFilter.call(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:136)
at grails.plugin.springsecurity.rest.RestTokenValidationFilter.processFilterChain(RestTokenValidationFilter.groovy:121)
at grails.plugin.springsecurity.rest.RestTokenValidationFilter.doFilter(RestTokenValidationFilter.groovy:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.rest.RestAuthenticationFilter.doFilter(RestAuthenticationFilter.groovy:139)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.groovy:64)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.groovy:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2018-07-03 01:15:00.005 DEBUG --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/v1/login'
2018-07-03 01:15:00.005 DEBUG --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/v1/api/**'
2018-07-03 01:15:00.005 DEBUG --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /error has no matching filters

Apparently, the problem was not related to security at all.
The issue was with the UrlMapping.
The UrlMapping for the update was supposed to be:
put "/v1/api/project/$id" {
controller = "project"
action = "update"
constraints {
id(matches:/\d+/)
}
}
The regex for constraints was wrong.
However, I still don't understand why 403 was returned and not 404.

Spring data #Query joda datetime postgresql exception

I have an Entity with 2 Columns with joda DateTime.
#Column(name = "track_start", columnDefinition= "TIMESTAMP WITH TIME ZONE")
#Type(type = "org.jadira.usertype.dateandtime.joda.PersistentDateTime")
private DateTime start;
#Column(name = "tracke_end", columnDefinition= "TIMESTAMP WITH TIME ZONE")
#Type(type = "org.jadira.usertype.dateandtime.joda.PersistentDateTime")
private DateTime end;
Then I have a Spring data Repository with a find method:
#Query("SELECT tt FROM Timetrack tt "
+ "WHERE (:dateFrom is null OR tt.start >= :dateFrom) "
+ "AND (:dateTo is null OR tt.end <= :dateTo)")
Page<Timetrack> findBy(#Param("dateFrom") DateTime dateFrom,
#Param("dateTo") DateTime dateTo,
Pageable pageable);
If I call that finder method I got an Exception:
org.postgresql.util.PSQLException: ERROR: could not determine data type of parameter $2
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2455)
If I change the #Param to Date instead of DateTime I got this Exception:
java.lang.IllegalArgumentException: Parameter value [Fri Jun 01 19:26:44 CEST 2018] did not match expected type [org.joda.time.DateTime (n/a)]
at org.hibernate.jpa.spi.BaseQueryImpl.validateBinding(BaseQueryImpl.java:897)
at org.hibernate.jpa.internal.QueryImpl.access$000(QueryImpl.java:61)
So does somebody have an idea?
Here the logging output from hibernate:
Hibernate: select timetrack0_.id as id1_6_, timetrack0_.created as created2_6_, timetrack0_.entity_status as entity_s3_6_, timetrack0_.updated as updated4_6_, timetrack0_.user_identity_id as user_ide9_6_, timetrack0_.tracke_end as tracke_e5_6_, timetrack0_.frozen_at as frozen_a6_6_, timetrack0_.invoice_id as invoice10_6_, timetrack0_.project_id as project11_6_, timetrack0_.track_start as track_st7_6_, timetrack0_.task as task8_6_ from timetrack timetrack0_ where ( timetrack0_.entity_status = 'active') and (? is null or timetrack0_.track_start>=?) and (? is null or timetrack0_.tracke_end<=?) order by timetrack0_.track_start asc limit ? offset ?
2018-06-09 21:32:05.804 TRACE 14006 --- [ main] o.h.type.descriptor.sql.BasicBinder : binding parameter [1] as [TIMESTAMP] - [2018-06-09 20:32:05.604]
2018-06-09 21:32:05.806 TRACE 14006 --- [ main] o.h.type.descriptor.sql.BasicBinder : binding parameter [2] as [TIMESTAMP] - [2018-06-09 20:32:05.604]
2018-06-09 21:32:05.808 TRACE 14006 --- [ main] o.h.type.descriptor.sql.BasicBinder : binding parameter [3] as [TIMESTAMP] - [2018-06-10 02:32:05.604]
2018-06-09 21:32:05.809 TRACE 14006 --- [ main] o.h.type.descriptor.sql.BasicBinder : binding parameter [4] as [TIMESTAMP] - [2018-06-10 02:32:05.604]

With in-mem database for testing, entity manager not releasing locks 'unable to obtain lock'

I have a Spring Boot app with some integration tests inspecting the results from front-end operations on data in the database.
The app uses DataNucleus JPA underneath spring-data-jpa and spring-data-rest, with an in-memory database, e.g. Derby, set up automatically via Spring Boot testing.
I used to use Hibernate, but I swopped it for DataNucleus. The tests all passed with Hibernate, but now my test JdbcTemplate queries are hanging, as though JPA isn't releasing its locks.
I've tried it with H2 (fails silently), Derby (hangs until time-out) and HSQLDB (hangs forever).
I have tried various work-arounds, e.g. without transactions #Transactional(Transactional.TxType.NEVER) or with/without commits #Rollback(true/false)
Spring Boot instantiates the datasource automatically and injects it into the EntityManagerFactory and the JdbcTemplate.
This is the test:
#ExtendWith(SpringExtension.class)
#SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.MOCK,
classes = { TestDataSourceConfig.class })
#EnableAutoConfiguration
#AutoConfigureMockMvc
#AutoConfigureTestDatabase(connection = EmbeddedDatabaseConnection.DERBY)
#Transactional
public class SymbolRestTests {
#Autowired
private MockMvc mockMvc;
#Autowired
private JdbcTemplate jdbcTemplate;
#Autowired
private SymbolRepository symbolRepository;
#PersistenceContext
private EntityManager entityManager;
#Before
public void setUp() throws Exception {
symbolRepository.deleteAll();
entityManager.flush();
entityManager.clear();
}
#Test
public void shouldCreateEntity() throws Exception {
String testTitle = "TEST.CODE.1";
String testExtra = "Test for SymbolRestTests.java";
String json = createJsonExample(testTitle, testExtra, true);
MockHttpServletRequestBuilder requestBuilder =
post("/symbols").content(json);
mockMvc.perform(requestBuilder)
.andExpect(status().isCreated())
.andExpect(header().string("Location",
containsString("symbols/")));
entityManager.flush();
entityManager.close(); // this didn't help
String sql = "SELECT count(*) FROM symbol WHERE title = ?";
// exception thrown on this next line
int count = jdbcTemplate.queryForObject(
sql, new Object[] { testTitle }, Integer.class);
Assert.assertThat(count, is(1));
}
}
and this is the error from HSQLDB (seems to be the most informative):
org.springframework.dao.CannotAcquireLockException: PreparedStatementCallback;
SQL [SELECT count(*) FROM symbol WHERE title = ?];
A lock could not be obtained within the time requested;
nested exception is java.sql.SQLTransactionRollbackException:
A lock could not be obtained within the time requested
at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:259)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:73)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:649)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:684)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:716)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:726)
at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:794)
at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:813)
at com.gis.integration.SymbolRestTests.shouldCreateEntity(SymbolRestTests.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:316)
at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:114)
at org.junit.jupiter.engine.descriptor.MethodTestDescriptor.lambda$invokeTestMethod$6(MethodTestDescriptor.java:171)
at org.junit.jupiter.engine.execution.ThrowableCollector.execute(ThrowableCollector.java:40)
at org.junit.jupiter.engine.descriptor.MethodTestDescriptor.invokeTestMethod(MethodTestDescriptor.java:168)
at org.junit.jupiter.engine.descriptor.MethodTestDescriptor.execute(MethodTestDescriptor.java:115)
at org.junit.jupiter.engine.descriptor.MethodTestDescriptor.execute(MethodTestDescriptor.java:57)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.lambda$execute$1(HierarchicalTestExecutor.java:81)
at org.junit.platform.engine.support.hierarchical.SingleTestExecutor.executeSafely(SingleTestExecutor.java:66)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:76)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.lambda$execute$1(HierarchicalTestExecutor.java:91)
at org.junit.platform.engine.support.hierarchical.SingleTestExecutor.executeSafely(SingleTestExecutor.java:66)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:76)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.lambda$execute$1(HierarchicalTestExecutor.java:91)
at org.junit.platform.engine.support.hierarchical.SingleTestExecutor.executeSafely(SingleTestExecutor.java:66)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:76)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:51)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:43)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:137)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:87)
at org.junit.platform.launcher.Launcher.execute(Launcher.java:93)
at com.intellij.junit5.JUnit5IdeaTestRunner.startRunnerWithArgs(JUnit5IdeaTestRunner.java:61)
at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:51)
at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
Caused by: java.sql.SQLTransactionRollbackException: A lock could not be obtained within the time requested
at org.apache.derby.impl.jdbc.SQLExceptionFactory.getSQLException(Unknown Source)
at org.apache.derby.impl.jdbc.Util.generateCsSQLException(Unknown Source)
at org.apache.derby.impl.jdbc.TransactionResourceImpl.wrapInSQLException(Unknown Source)
at org.apache.derby.impl.jdbc.TransactionResourceImpl.handleException(Unknown Source)
at org.apache.derby.impl.jdbc.EmbedConnection.handleException(Unknown Source)
at org.apache.derby.impl.jdbc.ConnectionChild.handleException(Unknown Source)
at org.apache.derby.impl.jdbc.EmbedResultSet.closeOnTransactionError(Unknown Source)
at org.apache.derby.impl.jdbc.EmbedResultSet.movePosition(Unknown Source)
at org.apache.derby.impl.jdbc.EmbedResultSet.next(Unknown Source)
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:92)
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60)
at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:697)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:633)
... 35 more
Caused by: ERROR 40XL1: A lock could not be obtained within the time requested
at org.apache.derby.iapi.error.StandardException.newException(Unknown Source)
at org.apache.derby.iapi.error.StandardException.newException(Unknown Source)
at org.apache.derby.impl.services.locks.ConcurrentLockSet.lockObject(Unknown Source)
at org.apache.derby.impl.services.locks.ConcurrentLockSet.zeroDurationLockObject(Unknown Source)
at org.apache.derby.impl.services.locks.AbstractPool.zeroDurationlockObject(Unknown Source)
at org.apache.derby.impl.services.locks.ConcurrentPool.zeroDurationlockObject(Unknown Source)
at org.apache.derby.impl.store.raw.xact.RowLocking2nohold.lockRecordForRead(Unknown Source)
at org.apache.derby.impl.store.access.heap.HeapController.lockRow(Unknown Source)
at org.apache.derby.impl.store.access.heap.HeapController.lockRow(Unknown Source)
at org.apache.derby.impl.store.access.btree.index.B2IRowLocking3.lockRowOnPage(Unknown Source)
at org.apache.derby.impl.store.access.btree.index.B2IRowLocking3._lockScanRow(Unknown Source)
at org.apache.derby.impl.store.access.btree.index.B2IRowLockingRR.lockScanRow(Unknown Source)
at org.apache.derby.impl.store.access.btree.BTreeForwardScan.fetchRows(Unknown Source)
at org.apache.derby.impl.store.access.btree.BTreeScan.fetchNextGroup(Unknown Source)
at org.apache.derby.impl.sql.execute.BulkTableScanResultSet.reloadArray(Unknown Source)
at org.apache.derby.impl.sql.execute.BulkTableScanResultSet.getNextRowCore(Unknown Source)
at org.apache.derby.impl.sql.execute.ProjectRestrictResultSet.getNextRowCore(Unknown Source)
at org.apache.derby.impl.sql.execute.ScalarAggregateResultSet.getRowFromResultSet(Unknown Source)
at org.apache.derby.impl.sql.execute.ScalarAggregateResultSet.getNextRowCore(Unknown Source)
at org.apache.derby.impl.sql.execute.ProjectRestrictResultSet.getNextRowCore(Unknown Source)
at org.apache.derby.impl.sql.execute.BasicNoPutResultSetImpl.getNextRow(Unknown Source)
... 41 more
Update using DataNucleus transaction documentation I have added some DataNucleus-specific properties to the persistence.xml (without result):
<?xml version="1.0" encoding="UTF-8" ?>
<persistence version="2.1"
xmlns="http://xmlns.jcp.org/xml/ns/persistence"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence
persistence_2_1.xsd">
<persistence-unit name="test">
<provider>org.datanucleus.api.jpa.PersistenceProviderImpl</provider>
<exclude-unlisted-classes>false</exclude-unlisted-classes>
<properties>
<property name="datanucleus.schema.autoCreateAll" value="true"/>
<property name="datanucleus.transactionIsolation" value="read-uncommitted"/>
<property name="datanucleus.NontransactionalRead" value="true"/>
<property name="datanucleus.NontransactionalWrite" value="true"/>
</properties>
</persistence-unit>
</persistence>
UPDATE #2
The log output at DEBUG level showing the DataNucleus-JPA/JdbcTemplate log statements (first the JPA INSERT, then the JdbcTemplate SELECT COUNT(*)):
2017-06-09 14:56:18.055 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection(non-enlisted) "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#5621a671 [conn=org.apache.derby.impl.jdbc.EmbedConnection#2006fdaa, commitOnRelease=true, closeOnRelease=true, closeOnTxnEnd=true]" is being committed.
2017-06-09 14:56:18.055 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection(non-enlisted) "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#5621a671 [conn=org.apache.derby.impl.jdbc.EmbedConnection#2006fdaa, commitOnRelease=true, closeOnRelease=true, closeOnTxnEnd=true]" closed
2017-06-09 14:56:18.068 DEBUG 9492 --- [ main] DataNucleus.Persistence : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" being inserted into table "SYMBOL"
2017-06-09 14:56:18.071 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection(non-enlisted) "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#63a7af06 [conn=null, commitOnRelease=false, closeOnRelease=false, closeOnTxnEnd=true]" opened with isolation level "read-uncommitted" and auto-commit=false
2017-06-09 14:56:18.074 DEBUG 9492 --- [ main] DataNucleus.Transaction : Running enlist operation on resource: org.datanucleus.store.rdbms.ConnectionFactoryImpl$EmulatedXAResource#3d4b45b, error code TMNOFLAGS and transaction: [DataNucleus Transaction, ID=Xid= , enlisted resources=[]]
2017-06-09 14:56:18.076 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection(enlisted) "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#63a7af06 [conn=org.apache.derby.impl.jdbc.EmbedConnection#19d76106, commitOnRelease=false, closeOnRelease=false, closeOnTxnEnd=true]" starting for transaction "Xid= " with flags "0"
2017-06-09 14:56:18.078 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection added to the pool : "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#63a7af06 [conn=org.apache.derby.impl.jdbc.EmbedConnection#19d76106, commitOnRelease=false, closeOnRelease=false, closeOnTxnEnd=true]" for key="org.datanucleus.ExecutionContextImpl#2c47a053" in factory="ConnectionFactory:tx[org.datanucleus.store.rdbms.ConnectionFactoryImpl#204c5ddf]"
2017-06-09 14:56:18.125 DEBUG 9492 --- [ main] DataNucleus.Datastore : Using PreparedStatement "org.datanucleus.store.rdbms.ParamLoggingPreparedStatement#37753b69" for connection "org.apache.derby.impl.jdbc.EmbedConnection#19d76106"
2017-06-09 14:56:18.134 DEBUG 9492 --- [ main] DataNucleus.Datastore.Native : INSERT INTO SYMBOL (ACTIVE,CREATED,EXTRA,GLOBAL_READ,GLOBAL_WRITE,LAST_MODIFIED,TITLE) VALUES (<'Y'>,<2017-06-09>,<null>,<'N'>,<'N'>,<2017-06-09>,<'TEST.CODE.1'>)
2017-06-09 14:56:18.169 DEBUG 9492 --- [ main] DataNucleus.Datastore.Persist : Execution Time = 36 ms (number of rows = 1) on PreparedStatement "org.datanucleus.store.rdbms.ParamLoggingPreparedStatement#37753b69"
2017-06-09 14:56:18.172 DEBUG 9492 --- [ main] DataNucleus.Datastore.Persist : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" was inserted in the datastore and was given strategy value of "1"
2017-06-09 14:56:18.179 DEBUG 9492 --- [ main] DataNucleus.Cache : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" (id="org.datanucleus.identity.IdentityReference#93fb44") being changed to be referenced by id="com.bp.gis.tardis.entity.SymbolEntity:1" in Level 1 cache
2017-06-09 14:56:18.180 DEBUG 9492 --- [ main] DataNucleus.Cache : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" (id="com.bp.gis.tardis.entity.SymbolEntity:1") added to Level 1 cache (loadedFlags="[YYYYYYYYY]")
2017-06-09 14:56:18.180 DEBUG 9492 --- [ main] DataNucleus.Transaction : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" (id="org.datanucleus.identity.IdentityReference#93fb44") enlisted in transactional cache is now enlisted using id="com.bp.gis.tardis.entity.SymbolEntity:1"
2017-06-09 14:56:18.181 DEBUG 9492 --- [ main] DataNucleus.Persistence : Insert of object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" is calling insertPostProcessing for field "com.bp.gis.tardis.entity.SymbolEntity.timeSeriesList"
2017-06-09 14:56:18.181 DEBUG 9492 --- [ main] DataNucleus.Datastore : Closing PreparedStatement "org.datanucleus.store.rdbms.ParamLoggingPreparedStatement#37753b69"
2017-06-09 14:56:18.181 DEBUG 9492 --- [ main] DataNucleus.Persistence : Insert of object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" is calling postInsert for field "com.bp.gis.tardis.entity.SymbolEntity.timeSeriesList"
2017-06-09 14:56:18.205 DEBUG 9492 --- [ main] DataNucleus.Persistence : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" field "timeSeriesList" is replaced by a SCO wrapper of type "org.datanucleus.store.types.wrappers.backed.List" [cache-values=true, lazy-loading=true, allow-nulls=true]
2017-06-09 14:56:18.207 DEBUG 9492 --- [ main] DataNucleus.Persistence : ExecutionContext.internalFlush() process finished
2017-06-09 14:56:18.218 DEBUG 9492 --- [ main] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL query
2017-06-09 14:56:18.220 DEBUG 9492 --- [ main] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL statement [SELECT count(*) FROM symbol WHERE title = ?]
2017-06-09 14:56:18.250 TRACE 9492 --- [ main] o.s.jdbc.core.StatementCreatorUtils : Setting SQL statement parameter value: column index 1, parameter value [TEST.CODE.1], value class [java.lang.String], SQL type unknown
2017-06-09 14:57:18.298 INFO 9492 --- [ main] o.s.b.f.xml.XmlBeanDefinitionReader : Loading XML bean definitions from class path resource [org/springframework/jdbc/support/sql-error-codes.xml]
2017-06-09 14:57:18.390 INFO 9492 --- [ main] o.s.jdbc.support.SQLErrorCodesFactory : SQLErrorCodes loaded: [DB2, Derby, H2, HSQL, Informix, MS-SQL, MySQL, Oracle, PostgreSQL, Sybase, Hana]
MockHttpServletRequest:
HTTP Method = POST
Request URI = /symbols
Parameters = {}
Headers = {}
Handler:
Type = org.springframework.data.rest.webmvc.RepositoryEntityController
Method = public org.springframework.http.ResponseEntity<org.springframework.hateoas.ResourceSupport> org.springframework.data.rest.webmvc.RepositoryEntityController.postCollectionResource(org.springframework.data.rest.webmvc.RootResourceInformation,org.springframework.data.rest.webmvc.PersistentEntityResource,org.springframework.data.rest.webmvc.PersistentEntityResourceAssembler,java.lang.String) throws org.springframework.web.HttpRequestMethodNotSupportedException
Async:
Async started = false
Async result = null
Resolved Exception:
Type = null
ModelAndView:
View name = null
View = null
Model = null
FlashMap:
Attributes = null
MockHttpServletResponse:
Status = 201
Error message = null
Headers = {X-Application-Context=[application:-1], Location=[http://localhost/symbols/0]}
Content type = null
Body =
Forwarded URL = null
Redirected URL = http://localhost/symbols/0
Cookies = []
2017-06-09 14:57:18.424 DEBUG 9492 --- [ main] DataNucleus.Transaction : Transaction rolling back for ExecutionContext org.datanucleus.ExecutionContextImpl#2c47a053
2017-06-09 14:57:18.429 DEBUG 9492 --- [ main] DataNucleus.Lifecycle : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" (id="com.bp.gis.tardis.entity.SymbolEntity:1") has a lifecycle change : "P_NEW"->""
2017-06-09 14:57:18.447 DEBUG 9492 --- [ main] DataNucleus.Transaction : Object "com.bp.gis.tardis.entity.SymbolEntity#59c08cf1" (id="com.bp.gis.tardis.entity.SymbolEntity:1") was evicted from transactional cache
2017-06-09 14:57:18.448 DEBUG 9492 --- [ main] DataNucleus.Persistence : Disconnecting com.bp.gis.tardis.entity.SymbolEntity#59c08cf1 from StateManager[pc=com.bp.gis.tardis.entity.SymbolEntity#59c08cf1, lifecycle=P_NEW]
2017-06-09 14:57:18.451 DEBUG 9492 --- [ main] DataNucleus.Cache : Object with id="com.bp.gis.tardis.entity.SymbolEntity:1" being removed from Level 1 cache [current cache size = 1]
2017-06-09 14:57:18.451 DEBUG 9492 --- [ main] DataNucleus.Transaction : Rolling back [DataNucleus Transaction, ID=Xid= , enlisted resources=[org.datanucleus.store.rdbms.ConnectionFactoryImpl$EmulatedXAResource#3d4b45b]]
2017-06-09 14:57:18.452 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection(enlisted) "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#63a7af06 [conn=org.apache.derby.impl.jdbc.EmbedConnection#19d76106, commitOnRelease=false, closeOnRelease=false, closeOnTxnEnd=true]" rolling back for transaction "Xid= "
2017-06-09 14:57:18.461 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection(non-enlisted) "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#63a7af06 [conn=org.apache.derby.impl.jdbc.EmbedConnection#19d76106, commitOnRelease=false, closeOnRelease=false, closeOnTxnEnd=true]" closed
2017-06-09 14:57:18.461 DEBUG 9492 --- [ main] DataNucleus.Connection : ManagedConnection removed from the pool : "org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl#63a7af06 [conn=org.apache.derby.impl.jdbc.EmbedConnection#19d76106, commitOnRelease=false, closeOnRelease=false, closeOnTxnEnd=true]" for key="org.datanucleus.ExecutionContextImpl#2c47a053" in factory="ConnectionFactory:tx[org.datanucleus.store.rdbms.ConnectionFactoryImpl#204c5ddf]"
2017-06-09 14:57:18.462 DEBUG 9492 --- [ main] DataNucleus.Transaction : Transaction rolled back in 38 ms
2017-06-09 14:57:18.462 DEBUG 9492 --- [ main] DataNucleus.Persistence : ExecutionContext "org.datanucleus.ExecutionContextImpl#2c47a053" closed
2017-06-09 14:57:18.463 INFO 9492 --- [ main] o.s.t.c.transaction.TransactionContext : Rolled back transaction for test context [DefaultTestContext#1f6f0fe2 testClass = SymbolRestTests, testInstance = com.bp.gis.tardis.integration.SymbolRestTests#22604c7e, testMethod = shouldCreateEntity#SymbolRestTests, testException = org.springframework.dao.CannotAcquireLockException: PreparedStatementCallback; SQL [SELECT count(*) FROM symbol WHERE title = ?]; A lock could not be obtained within the time requested; nested exception is java.sql.SQLTransactionRollbackException: A lock could not be obtained within the time requested, mergedContextConfiguration = [WebMergedContextConfiguration#3a48c398 testClass = SymbolRestTests, locations = '{}', classes = '{class com.bp.gis.tardis.config.TestDataSourceConfig, class com.bp.gis.tardis.config.TestDataSourceConfig}', contextInitializerClasses = '[]', activeProfiles = '{}', propertySourceLocations = '{}', propertySourceProperties = '{logging.level.DataNucleus=DEBUG, logging.level.com.bp.gis.tardis=TRACE, logging.level.org.springframework.jdbc.core=TRACE, security.basic.enabled=false, org.springframework.boot.test.context.SpringBootTestContextBootstrapper=true}', contextCustomizers = set[[ImportsContextCustomizer#1b4ba615 key = [#org.springframework.boot.autoconfigure.AutoConfigurationPackage(), #org.junit.FixMethodOrder(value=NAME_ASCENDING), #org.springframework.context.annotation.Import(value=[class org.springframework.boot.autoconfigure.AutoConfigurationPackages$Registrar]), #org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase(replace=ANY, connection=DERBY), #org.springframework.boot.autoconfigure.EnableAutoConfiguration(exclude=[], excludeName=[]), #org.springframework.test.context.BootstrapWith(value=class org.springframework.boot.test.context.SpringBootTestContextBootstrapper), #org.junit.jupiter.api.extension.ExtendWith(value=[class org.springframework.test.context.junit.jupiter.SpringExtension]), #org.springframework.transaction.annotation.Transactional(propagation=REQUIRED, rollbackForClassName=[], readOnly=false, isolation=DEFAULT, transactionManager=, noRollbackFor=[], noRollbackForClassName=[], value=, timeout=-1, rollbackFor=[]), #org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc(webDriverEnabled=true, print=DEFAULT, webClientEnabled=true, secure=true, addFilters=true, printOnlyOnFailure=true), #org.springframework.boot.autoconfigure.ImportAutoConfiguration(value=[], exclude=[], classes=[]), #org.junit.platform.commons.meta.API(value=Experimental), #org.springframework.context.annotation.Import(value=[class org.springframework.boot.autoconfigure.ImportAutoConfigurationImportSelector]), #org.springframework.boot.test.autoconfigure.properties.PropertyMapping(value=spring.test.mockmvc, skip=NO), #org.springframework.boot.test.context.SpringBootTest(webEnvironment=MOCK, value=[], properties=[logging.level.DataNucleus=DEBUG, logging.level.com.bp.gis.tardis=TRACE, logging.level.org.springframework.jdbc.core=TRACE, security.basic.enabled=false], classes=[class com.bp.gis.tardis.config.TestDataSourceConfig]), #org.springframework.boot.test.autoconfigure.properties.PropertyMapping(value=spring.test.database, skip=NO), #org.springframework.context.annotation.Import(value=[class org.springframework.boot.autoconfigure.EnableAutoConfigurationImportSelector])]], org.springframework.boot.test.context.SpringBootTestContextCustomizer#702657cc, org.springframework.boot.test.context.filter.ExcludeFilterContextCustomizer#6025e1b6, org.springframework.boot.test.mock.mockito.MockitoContextCustomizer#0, org.springframework.boot.test.autoconfigure.properties.PropertyMappingContextCustomizer#e30f6a3a, org.springframework.boot.test.autoconfigure.web.servlet.WebDriverContextCustomizerFactory$Customizer#1ff4931d], resourceBasePath = 'src/main/webapp', contextLoader = 'org.springframework.boot.test.context.SpringBootContextLoader', parent = [null]]].
UPDATE #3
The logging shows the INSERT by DataNucleus, followed several log statements that all look kosher about entity objects, and then comes
ExecutionContext.internalFlush() process finished
which sounds like the DataNucleus EntityManager flushing. Then comes the logging statement from Spring's JdbcTemplate which wants to read what JPA insert, and it all goes wrong.

Spring does in fact totally wrap the EntityManager for its testing framework and the wrapper just swallows the call to entityManager.close() so that call won't cause transactions to complete.
Spring also throws an error on calls to entityManager.getTransaction().
Typically in my experience of Spring, what just worked with the conventional Spring approach, e.g. Spring Data JPA with fully integrated Hibernate, does not work with DataNucleus.
Thanks go to this SO Q: How to manually force a commit in a #Transactional method?
I took out the #Transactional annotation from the class declaration, and put nothing on the test method, and called a seperate method with REQUIRES_NEW to do the REST-to-database functionality I want to test. Then in the original test method after that call, it was all committed and not locked so I could use Spring's JdbcTemplate to examine the result.
#Test
public void shouldCreateEntity() throws Exception {
String testTitle = "TEST.CODE.1";
String testExtra = "Test for SymbolRestTests.java";
String json = createJsonExample(testTitle, testExtra, true);
log.debug(String.format("JSON==%s", json));
doInNewTransaction(json);
String sql = "SELECT count(*) FROM symbol WHERE title = ?";
int count = jdbcTemplate.queryForObject(
sql, new Object[] { testTitle }, Integer.class);
Assert.assertThat(count, is(1));
}
#Transactional(propagation = Propagation.REQUIRES_NEW)
private void doInNewTransaction(String json) throws Exception {
MockHttpServletRequestBuilder requestBuilder =
post("/symbols").content(json);
mockMvc.perform(requestBuilder)
.andExpect(status().isCreated())
.andExpect(header().string("Location",
containsString("symbols/")));
}