Martin Kneissl (Migrated from SEC-1274) said:
The algorithm of doing the insert with an auto identity column and then checking for the most recent identity value does not work very cleanly on Oracle.
1st problem: There is no auto identity mechanism in Oracle. This can be worked around by creating a sequence and a before insert trigger, leading to the second problem:
2nd problem: Sequences in Oracle are not transactional. When two new objects are created in the database at the same time in different transactions, there would be two sequence values created. Assume transaction 1 ("T1") inserts first, T2 second. T2 will then fail due to the unique constraint. The current sequence value will not be rolled back. That means that the wrong sequence value may be retrieved in T1, if the insert of T2 is interleaved between insert and identity query of T1.
This is related to issues SEC-1076 and SEC-479 (issue 4).
Comment From: spring-projects-issues
Martin Kneissl said:
Attached a draft patch (OracleMutableAclService.java) to solve the problem.
Comment From: spring-projects-issues
Luke Taylor said:
Thanks for the suggested fix. If possible, this would be better addressed by some modifications to the existing class - e.g. an injectable strategy, rather than a separate class, to avoid duplicating most of the content.
Comment From: spring-projects-issues
Luke Taylor said:
Looking at this again, I have some problems with the existing patch - it seems to have added an additional identity column in acl_object, for example. Is this necessary for some reason? A description of the required changes and the logic behind them would be very useful in deciding how best to address this.
Comment From: rwinch
Marking this as declined as no additional feedback was provided