When Spring Security is used, JPA annotations auto-wiring is not supported : the @PersistenceContext EntityManager is not injected in the DAO layer, which results in NullPointerExceptions
In the given Eclipse project (requires maven plugin to run, or maven command line), the META-INF/applicationContext.xml contains spring-security configuration along with JPA beans.
When the 2 spring-security beans are commented, the 2 JUnit tests pass.
When the beans are included in the configuration, the JUnit test fail.
Luke Taylor said:
This appears to be a more general problem (not specific to JPA) where our HttpSecurityConfigPostProcessor causes beans to be instantiated too early and they aren’t processed by individual BeanPostProcessors (in this case PersisteceAnnotationBeanPostProcessor). I’ve added a much simpler test to HttpSecurityBeanDefinitionParserTests and refactored the post processing substantially to make it much more conservative about instantiating beans.
The changes mentioned above should have fixed the problem. Could you check with a recent snapshot please?
Closing, as the test now passes.
Chris Herron said:
I’m still seeing this problem with snapshot 20080211.160105-53.
… and I’m using Spring 2.5.3
In my case, my UserDAO implements UserDetailsService directly. Watching the log output, I notice that the UserDAO gets created early along with the security infrastructure, without any EntityManager getting injected. Later on, other DAOs get created and I see the PersistenceContext injection happening.
The only difference I can see between my setup and Xavier’s attachment is that:
1. My UserDAO directly implements UserDetailsService. Xavier’s example uses an @Repository annotated DAO as an auto-wired property of his UserDetailsService implementation.
2. I’m not explicitly using auto-wiring.
3. My config is split across multiple files, imported into a main applicationConfig.xml. Don’t think this matters.
4. I’m using Spring 2.5.3
It’ll take me a while to put together a sanitized example of my setup – sorry!
I just tried Xavier’s SpringSecurityJPAWithAnnotations.zip test, with snapshots:
… and I’m using Spring 2.5.3.
It still fails as Xavier described: a NPE when the DAO attempts to use its injected EntityManager. Commenting out the security config allows the test to pass.
Please disregard my previous comments. I totally missed the timestamp in the snapshot filenames – these weren’t the most recent. Unfortunately, the spring-security-core/tiger snapshots available at http://s3browse.com/explore/maven.springframework.org/snapshot/org/springframework/security/
… stop at 2008-04-01.
I’m not a maven user, is there another way to get more recent snapshots without doing a build myself?
I’m not sure why snapshots have stopped there, but thanks for pointing it out. I’ll check with the build manager. Building yourself is actuall pretty straightforward and often the easiest option for keeping up with things:
Thanks Luke – I was able to checkout and build the trunk. With this fresh snapshot, Xavier’s test passes, and my issue is resolved.
Sorry for the noise!
No Problem. Nice to have extra confirmation that the problem is fixed. The snapshot builds should be back online now too.
tran duc trung said:
I always have this bug with spring 2.5.4 and spring-security 2.0.1
Maybe you are thinking of this SEC-826? Both are fixed against the latest release (2.0.2) so we will need a test case which reproduces the problem if you think there is still an issue.