When upgrading to Spring Boot 2.7.0 from 2.6.8 we experience a strange issue: Access control to a resource allowed only for an "admin" role works properly when the application is launched through the @SpringBootApplication class but access to the resource is always denied if the application is launched using mvn spring-boot:run.
The security configuration looks like
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin-only/**")
.hasAnyRole(ROLE_ADMIN);
...
When opening http://localhost:8888/admin-only/secret.txt for the first time it redirects to the login view as expected. After logging in the behavior is as follows:
With Spring Boot 2.6.8 or with 2.7.0 when launching the Application class: The resource contents is shown, in this test case
Secret document for admin
With 2.7.0 launched using mvn spring-boot:run:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Fri May 20 16:10:31 EEST 2022
There was an unexpected error (type=Forbidden, status=403).
Forbidden
2.7.0-M1 works as 2.6.8 (as expected), 2.7.0-M2 works as 2.7.0 (strangely)
Comment From: philwebb
@Artur- Are you able to share a project that demonstrates the issue?
Comment From: Artur-
I am testing using https://github.com/vaadin/flow/tree/master/flow-tests/vaadin-spring-tests/test-spring-security-flow but that is not very convenient as it depends on some other modules in the project.
After some digging it seems like the summary here is wrong because it is not related to using spring-boot:run. Not sure why it did not reproduce by running the Application class earlier but not it reproduces there also.
In fact the problem seems to be related to the H2 version upgrade and the data model used in the project.
It reproduces when having
@Entity
public class UserInfo {
@Id
@GeneratedValue
private UUID id;
But if I add @Type(type = "uuid-char") to the field, everything starts to work.
When accessing a private resource I see no exceptions but when accessing a private view that fetches some data from the related Account entity, I also see
Caused by: javax.persistence.EntityNotFoundException: Unable to find com.vaadin.flow.spring.flowsecurity.data.UserInfo with id 6eb9fc83-cb92-4856-9caf-4cadde00c8c2
even though an entity with that id is explicitly created on startup.
So to summarize, not sure if this should be an issue in H2 or if it is somehow invalid to use a UUID without @Type(type = "uuid-char")
Comment From: wilkinsona
The upgrade to H2 2.x (that was necessary to pick up some security vulnerability fixes) has a higher cost than we would like as it is backwards incompatible. There are some links to H2 documentation that may help in Boot's release notes. Hibernate's also changed its dialect for H2 2.x that affects how it handles UUID. See https://hibernate.atlassian.net/browse/HHH-15101, for example.
I'm going to close this one for now as I don't think there's anything we can do in Boot. If you are comfortable with the risks, you could investigate downgrading H2 back to 1.x.