SEC-2335 Added ACL schema files for MySQL, SQL Server, Oracle

acl/src/main/resources/createAclSchema.sql

@@ -5,12 +5,12 @@
 -- drop table acl_class;
 -- drop table acl_sid;
 
-
 create table acl_sid(
     id bigint generated by default as identity(start with 100) not null primary key,
     principal boolean not null,
     sid varchar_ignorecase(100) not null,
-    constraint unique_uk_1 unique(sid,principal));
+    constraint unique_uk_1 unique(sid,principal)
+);
 
 create table acl_class(
     id bigint generated by default as identity(start with 100) not null primary key,

acl/src/main/resources/createAclSchemaMySQL.sql

@@ -0,0 +1,46 @@
+-- ACL Schema SQL for MySQL 5.5+ / MariaDB equivalent
+
+-- drop table acl_entry;
+-- drop table acl_object_identity;
+-- drop table acl_class;
+-- drop table acl_sid;
+
+CREATE TABLE acl_sid (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    principal BOOLEAN NOT NULL,
+    sid VARCHAR(100) NOT NULL,
+    UNIQUE KEY unique_acl_sid (sid, principal)
+) ENGINE=InnoDB;
+
+CREATE TABLE acl_class (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    class VARCHAR(100) NOT NULL,
+    UNIQUE KEY uk_acl_class (class)
+) ENGINE=InnoDB;
+
+CREATE TABLE acl_object_identity (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    object_id_class BIGINT UNSIGNED NOT NULL,
+    object_id_identity BIGINT NOT NULL,
+    parent_object BIGINT UNSIGNED,
+    owner_sid BIGINT UNSIGNED,
+    entries_inheriting BOOLEAN NOT NULL,
+    UNIQUE KEY uk_acl_object_identity (object_id_class, object_id_identity),
+    CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
+    CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
+) ENGINE=InnoDB;
+
+CREATE TABLE acl_entry (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    acl_object_identity BIGINT UNSIGNED NOT NULL,
+    ace_order INTEGER NOT NULL,
+    sid BIGINT UNSIGNED NOT NULL,
+    mask INTEGER UNSIGNED NOT NULL,
+    granting BOOLEAN NOT NULL,
+    audit_success BOOLEAN NOT NULL,
+    audit_failure BOOLEAN NOT NULL,
+    UNIQUE KEY unique_acl_entry (acl_object_identity, ace_order),
+    CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
+) ENGINE=InnoDB;

acl/src/main/resources/createAclSchemaOracle.sql

@@ -0,0 +1,82 @@
+-- ACL Schema SQL for Oracle Database 10g+
+
+-- drop trigger acl_sid_id_trigger;
+-- drop trigger acl_class_id_trigger;
+-- drop trigger acl_object_identity_id_trigger;
+-- drop trigger acl_entry_id_trigger;
+-- drop sequence acl_sid_sequence;
+-- drop sequence acl_class_sequence;
+-- drop sequence acl_object_identity_sequence;
+-- drop sequence acl_entry_sequence;
+-- drop table acl_entry;
+-- drop table acl_object_identity;
+-- drop table acl_class;
+-- drop table acl_sid;
+
+CREATE TABLE acl_sid (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    principal NUMBER(1) NOT NULL CHECK (principal in (0, 1)),
+    sid NVARCHAR2(100) NOT NULL,
+    CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
+);
+CREATE SEQUENCE acl_sid_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_sid_id_trigger
+    BEFORE INSERT ON acl_sid
+    FOR EACH ROW
+BEGIN
+    SELECT acl_sid_sequence.nextval INTO :new.id FROM dual;
+END;
+
+CREATE TABLE acl_class (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    class NVARCHAR2(100) NOT NULL,
+    CONSTRAINT uk_acl_class UNIQUE (class)
+);
+CREATE SEQUENCE acl_class_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_class_id_trigger
+    BEFORE INSERT ON acl_class
+    FOR EACH ROW
+BEGIN
+    SELECT acl_class_sequence.nextval INTO :new.id FROM dual;
+END;
+
+CREATE TABLE acl_object_identity (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    object_id_class NUMBER(38) NOT NULL,
+    object_id_identity NUMBER(38) NOT NULL,
+    parent_object NUMBER(38),
+    owner_sid NUMBER(38),
+    entries_inheriting NUMBER(1) NOT NULL CHECK (entries_inheriting in (0, 1)),
+    CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
+    CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
+    CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
+);
+CREATE SEQUENCE acl_object_identity_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_object_identity_id_trigger
+    BEFORE INSERT ON acl_object_identity
+    FOR EACH ROW
+BEGIN
+    SELECT acl_object_identity_sequence.nextval INTO :new.id FROM dual;
+END;
+
+CREATE TABLE acl_entry (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    acl_object_identity NUMBER(38) NOT NULL,
+    ace_order INTEGER NOT NULL,
+    sid NUMBER(38) NOT NULL,
+    mask INTEGER NOT NULL,
+    granting NUMBER(1) NOT NULL CHECK (granting in (0, 1)),
+    audit_success NUMBER(1) NOT NULL CHECK (audit_success in (0, 1)),
+    audit_failure NUMBER(1) NOT NULL CHECK (audit_failure in (0, 1)),
+    CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
+    CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
+);
+CREATE SEQUENCE acl_entry_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_entry_id_trigger
+    BEFORE INSERT ON acl_entry
+    FOR EACH ROW
+BEGIN
+    SELECT acl_entry_sequence.nextval INTO :new.id FROM dual;
+END;

acl/src/main/resources/createAclSchemaSqlServer.sql

@@ -0,0 +1,46 @@
+-- ACL Schema SQL for Microsoft SQL Server 2008+
+
+-- drop table acl_entry;
+-- drop table acl_object_identity;
+-- drop table acl_class;
+-- drop table acl_sid;
+
+CREATE TABLE acl_sid (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    principal BIT NOT NULL,
+    sid VARCHAR(100) NOT NULL,
+    CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
+);
+
+CREATE TABLE acl_class (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    class VARCHAR(100) NOT NULL,
+    CONSTRAINT uk_acl_class UNIQUE (class)
+);
+
+CREATE TABLE acl_object_identity (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    object_id_class BIGINT NOT NULL,
+    object_id_identity BIGINT NOT NULL,
+    parent_object BIGINT,
+    owner_sid BIGINT,
+    entries_inheriting BIT NOT NULL,
+    CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
+    CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
+    CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
+);
+
+CREATE TABLE acl_entry (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    acl_object_identity BIGINT NOT NULL,
+    ace_order INTEGER NOT NULL,
+    sid BIGINT NOT NULL,
+    mask INTEGER NOT NULL,
+    granting BIT NOT NULL,
+    audit_success BIT NOT NULL,
+    audit_failure BIT NOT NULL,
+    CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
+    CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
+);

docs/manual/src/asciidoc/index.adoc

@@ -6029,7 +6029,7 @@ DDL statements are given for the HSQLDB database. You can use these as a guideli
 
 
 === User Schema
-The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
+The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. You will need to adjust this schema to match the database dialect you are using.
 
 [source]
 ----
@@ -6037,51 +6037,57 @@ The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) req
 create table users(
     username varchar_ignorecase(50) not null primary key,
     password varchar_ignorecase(50) not null,
-    enabled boolean not null);
+    enabled boolean not null
+);
 
 create table authorities (
     username varchar_ignorecase(50) not null,
     authority varchar_ignorecase(50) not null,
-    constraint fk_authorities_users foreign key(username) references users(username));
-    create unique index ix_auth_username on authorities (username,authority);
+    constraint fk_authorities_users foreign key(username) references users(username)
+);
+create unique index ix_auth_username on authorities (username,authority);
 ----
 
 ==== Group Authorities
-Spring Security 2.0 introduced support for group authorities in `JdbcDaoImpl`. The table structure if groups are enabled is as follows:
+Spring Security 2.0 introduced support for group authorities in `JdbcDaoImpl`. The table structure if groups are enabled is as follows. You will need to adjust this schema to match the database dialect you are using.
 
 [source]
 ----
 
 create table groups (
-  id bigint generated by default as identity(start with 0) primary key,
-  group_name varchar_ignorecase(50) not null);
+    id bigint generated by default as identity(start with 0) primary key,
+    group_name varchar_ignorecase(50) not null
+);
 
 create table group_authorities (
-  group_id bigint not null,
-  authority varchar(50) not null,
-  constraint fk_group_authorities_group foreign key(group_id) references groups(id));
+    group_id bigint not null,
+    authority varchar(50) not null,
+    constraint fk_group_authorities_group foreign key(group_id) references groups(id)
+);
 
 create table group_members (
-  id bigint generated by default as identity(start with 0) primary key,
-  username varchar(50) not null,
-  group_id bigint not null,
-  constraint fk_group_members_group foreign key(group_id) references groups(id));
+    id bigint generated by default as identity(start with 0) primary key,
+    username varchar(50) not null,
+    group_id bigint not null,
+    constraint fk_group_members_group foreign key(group_id) references groups(id)
+);
 ----
 
 Remember that these tables are only required if you are using the provided JDBC `UserDetailsService` implementation. If you write your own  or choose to implement `AuthenticationProvider` without a `UserDetailsService`, then you have complete freedom over how you store the data, as long as the interface contract is satisfied.
 
 
 === Persistent Login (Remember-Me) Schema
-This table is used to store data used by the more secure <<remember-me-persistent-token,persistent token>> remember-me implementation. If you are using `JdbcTokenRepositoryImpl` either directly or through the namespace, then you will need this table.
+This table is used to store data used by the more secure <<remember-me-persistent-token,persistent token>> remember-me implementation. If you are using `JdbcTokenRepositoryImpl` either directly or through the namespace, then you will need this table. Remember to adjust this schema to match the database dialect you are using.
 
 [source]
 ----
 
 create table persistent_logins (
-  username varchar(64) not null,
-  series varchar(64) primary key,
-  token varchar(64) not null,
-  last_used timestamp not null);
+    username varchar(64) not null,
+    series varchar(64) primary key,
+    token varchar(64) not null,
+    last_used timestamp not null
+);
 
 ----
 
@@ -6096,85 +6102,97 @@ There are four tables used by the Spring Security <<domain-acls,ACL>> implementa
 
 It is assumed that the database will auto-generate the primary keys for each of the identities. The `JdbcMutableAclService` has to be able to retrieve these when it has created a new row in the `acl_sid` or `acl_class` tables. It has two properties which define the SQL needed to retrieve these values `classIdentityQuery` and `sidIdentityQuery`. Both of these default to `call identity()`
 
-==== Hypersonic SQL
+The ACL artifact JAR contains files for creating the ACL schema in HyperSQL (HSQLDB), PostgreSQL, MySQL/MariaDB, Microsoft SQL Server, and Oracle Database. These schemas are also demonstrated in the following sections.
+
+==== HyperSQL
 The default schema works with the embedded HSQLDB database that is used in unit tests within the framework.
 
-[source]
+[source,ddl]
 ----
 
-create table acl_sid (
-  id bigint generated by default as identity(start with 100) not null primary key,
-  principal boolean not null,
-  sid varchar_ignorecase(100) not null,
-  constraint unique_uk_1 unique(sid,principal) );
-
-create table acl_class (
-  id bigint generated by default as identity(start with 100) not null primary key,
-  class varchar_ignorecase(100) not null,
-  constraint unique_uk_2 unique(class) );
-
-create table acl_object_identity (
-  id bigint generated by default as identity(start with 100) not null primary key,
-  object_id_class bigint not null,
-  object_id_identity bigint not null,
-  parent_object bigint,
-  owner_sid bigint not null,
-  entries_inheriting boolean not null,
-  constraint unique_uk_3 unique(object_id_class,object_id_identity),
-  constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
-  constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
-  constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id) );
-
-create table acl_entry (
-  id bigint generated by default as identity(start with 100) not null primary key,
-  acl_object_identity bigint not null,ace_order int not null,sid bigint not null,
-  mask integer not null,granting boolean not null,audit_success boolean not null,
-  audit_failure boolean not null,
-  constraint unique_uk_4 unique(acl_object_identity,ace_order),
-  constraint foreign_fk_4 foreign key(acl_object_identity)
-      references acl_object_identity(id),
-  constraint foreign_fk_5 foreign key(sid) references acl_sid(id) );
+create table acl_sid(
+    id bigint generated by default as identity(start with 100) not null primary key,
+    principal boolean not null,
+    sid varchar_ignorecase(100) not null,
+    constraint unique_uk_1 unique(sid,principal)
+);
+
+create table acl_class(
+    id bigint generated by default as identity(start with 100) not null primary key,
+    class varchar_ignorecase(100) not null,
+    constraint unique_uk_2 unique(class)
+);
+
+create table acl_object_identity(
+    id bigint generated by default as identity(start with 100) not null primary key,
+    object_id_class bigint not null,
+    object_id_identity bigint not null,
+    parent_object bigint,
+    owner_sid bigint,
+    entries_inheriting boolean not null,
+    constraint unique_uk_3 unique(object_id_class,object_id_identity),
+    constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
+    constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
+    constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
+);
+
+create table acl_entry(
+    id bigint generated by default as identity(start with 100) not null primary key,
+    acl_object_identity bigint not null,
+    ace_order int not null,
+    sid bigint not null,
+    mask integer not null,
+    granting boolean not null,
+    audit_success boolean not null,
+    audit_failure boolean not null,
+    constraint unique_uk_4 unique(acl_object_identity,ace_order),
+    constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
+    constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
+);
 ----
 
 ==== PostgreSQL
 [source,ddl]
 ----
 create table acl_sid(
-  id bigserial not null primary key,
-  principal boolean not null,
-  sid varchar(100) not null,
-  constraint unique_uk_1 unique(sid,principal));
+    id bigserial not null primary key,
+    principal boolean not null,
+    sid varchar(100) not null,
+    constraint unique_uk_1 unique(sid,principal)
+);
 
 create table acl_class(
-  id bigserial not null primary key,
-  class varchar(100) not null,
-  constraint unique_uk_2 unique(class));
+    id bigserial not null primary key,
+    class varchar(100) not null,
+    constraint unique_uk_2 unique(class)
+);
 
 create table acl_object_identity(
-  id bigserial primary key,
-  object_id_class bigint not null,
-  object_id_identity bigint not null,
-  parent_object bigint,
-  owner_sid bigint,
-  entries_inheriting boolean not null,
-  constraint unique_uk_3 unique(object_id_class,object_id_identity),
-  constraint foreign_fk_1 foreign key(parent_object) references acl_object_identity(id),
-  constraint foreign_fk_2 foreign key(object_id_class) references acl_class(id),
-  constraint foreign_fk_3 foreign key(owner_sid) references acl_sid(id));
+    id bigserial primary key,
+    object_id_class bigint not null,
+    object_id_identity bigint not null,
+    parent_object bigint,
+    owner_sid bigint,
+    entries_inheriting boolean not null,
+    constraint unique_uk_3 unique(object_id_class,object_id_identity),
+    constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
+    constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
+    constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
+);
 
 create table acl_entry(
-  id bigserial primary key,
-  acl_object_identity bigint not null,
-  ace_order int not null,
-  sid bigint not null,
-  mask integer not null,
-  granting boolean not null,
-  audit_success boolean not null,
-  audit_failure boolean not null,
-  constraint unique_uk_4 unique(acl_object_identity,ace_order),
-  constraint foreign_fk_4 foreign key(acl_object_identity)
-      references acl_object_identity(id),
-  constraint foreign_fk_5 foreign key(sid) references acl_sid(id));
+    id bigserial primary key,
+    acl_object_identity bigint not null,
+    ace_order int not null,
+    sid bigint not null,
+    mask integer not null,
+    granting boolean not null,
+    audit_success boolean not null,
+    audit_failure boolean not null,
+    constraint unique_uk_4 unique(acl_object_identity,ace_order),
+    constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
+    constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
+);
 ----
 
 You will have to set the `classIdentityQuery` and `sidIdentityQuery` properties of `JdbcMutableAclService` to the following values, respectively:
@@ -6182,6 +6200,166 @@ You will have to set the `classIdentityQuery` and `sidIdentityQuery` properties
 * `select currval(pg_get_serial_sequence('acl_class', 'id'))`
 * `select currval(pg_get_serial_sequence('acl_sid', 'id'))`
 
+==== MySQL and MariaDB
+[source,ddl]
+----
+CREATE TABLE acl_sid (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    principal BOOLEAN NOT NULL,
+    sid VARCHAR(100) NOT NULL,
+    UNIQUE KEY unique_acl_sid (sid, principal)
+) ENGINE=InnoDB;
+
+CREATE TABLE acl_class (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    class VARCHAR(100) NOT NULL,
+    UNIQUE KEY uk_acl_class (class)
+) ENGINE=InnoDB;
+
+CREATE TABLE acl_object_identity (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    object_id_class BIGINT UNSIGNED NOT NULL,
+    object_id_identity BIGINT NOT NULL,
+    parent_object BIGINT UNSIGNED,
+    owner_sid BIGINT UNSIGNED,
+    entries_inheriting BOOLEAN NOT NULL,
+    UNIQUE KEY uk_acl_object_identity (object_id_class, object_id_identity),
+    CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
+    CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
+) ENGINE=InnoDB;
+
+CREATE TABLE acl_entry (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    acl_object_identity BIGINT UNSIGNED NOT NULL,
+    ace_order INTEGER NOT NULL,
+    sid BIGINT UNSIGNED NOT NULL,
+    mask INTEGER UNSIGNED NOT NULL,
+    granting BOOLEAN NOT NULL,
+    audit_success BOOLEAN NOT NULL,
+    audit_failure BOOLEAN NOT NULL,
+    UNIQUE KEY unique_acl_entry (acl_object_identity, ace_order),
+    CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
+) ENGINE=InnoDB;
+----
+
+==== Microsoft SQL Server
+[source,ddl]
+----
+CREATE TABLE acl_sid (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    principal BIT NOT NULL,
+    sid VARCHAR(100) NOT NULL,
+    CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
+);
+
+CREATE TABLE acl_class (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    class VARCHAR(100) NOT NULL,
+    CONSTRAINT uk_acl_class UNIQUE (class)
+);
+
+CREATE TABLE acl_object_identity (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    object_id_class BIGINT NOT NULL,
+    object_id_identity BIGINT NOT NULL,
+    parent_object BIGINT,
+    owner_sid BIGINT,
+    entries_inheriting BIT NOT NULL,
+    CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
+    CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
+    CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
+);
+
+CREATE TABLE acl_entry (
+    id BIGINT NOT NULL IDENTITY PRIMARY KEY,
+    acl_object_identity BIGINT NOT NULL,
+    ace_order INTEGER NOT NULL,
+    sid BIGINT NOT NULL,
+    mask INTEGER NOT NULL,
+    granting BIT NOT NULL,
+    audit_success BIT NOT NULL,
+    audit_failure BIT NOT NULL,
+    CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
+    CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
+);
+----
+
+==== Oracle Database
+[source,ddl]
+----
+CREATE TABLE acl_sid (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    principal NUMBER(1) NOT NULL CHECK (principal in (0, 1)),
+    sid NVARCHAR2(100) NOT NULL,
+    CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
+);
+CREATE SEQUENCE acl_sid_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_sid_id_trigger
+    BEFORE INSERT ON acl_sid
+    FOR EACH ROW
+BEGIN
+    SELECT acl_sid_sequence.nextval INTO :new.id FROM dual;
+END;
+
+CREATE TABLE acl_class (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    class NVARCHAR2(100) NOT NULL,
+    CONSTRAINT uk_acl_class UNIQUE (class)
+);
+CREATE SEQUENCE acl_class_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_class_id_trigger
+    BEFORE INSERT ON acl_class
+    FOR EACH ROW
+BEGIN
+    SELECT acl_class_sequence.nextval INTO :new.id FROM dual;
+END;
+
+CREATE TABLE acl_object_identity (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    object_id_class NUMBER(38) NOT NULL,
+    object_id_identity NUMBER(38) NOT NULL,
+    parent_object NUMBER(38),
+    owner_sid NUMBER(38),
+    entries_inheriting NUMBER(1) NOT NULL CHECK (entries_inheriting in (0, 1)),
+    CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
+    CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
+    CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
+);
+CREATE SEQUENCE acl_object_identity_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_object_identity_id_trigger
+    BEFORE INSERT ON acl_object_identity
+    FOR EACH ROW
+BEGIN
+    SELECT acl_object_identity_sequence.nextval INTO :new.id FROM dual;
+END;
+
+CREATE TABLE acl_entry (
+    id NUMBER(38) NOT NULL PRIMARY KEY,
+    acl_object_identity NUMBER(38) NOT NULL,
+    ace_order INTEGER NOT NULL,
+    sid NUMBER(38) NOT NULL,
+    mask INTEGER NOT NULL,
+    granting NUMBER(1) NOT NULL CHECK (granting in (0, 1)),
+    audit_success NUMBER(1) NOT NULL CHECK (audit_success in (0, 1)),
+    audit_failure NUMBER(1) NOT NULL CHECK (audit_failure in (0, 1)),
+    CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
+    CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
+    CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
+);
+CREATE SEQUENCE acl_entry_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
+CREATE OR REPLACE TRIGGER acl_entry_id_trigger
+    BEFORE INSERT ON acl_entry
+    FOR EACH ROW
+BEGIN
+    SELECT acl_entry_sequence.nextval INTO :new.id FROM dual;
+END;
+----
+
 [[appendix-namespace]]
 == The Security Namespace
 This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). If you haven't used the namespace before, please read the <<ns-config,introductory chapter>> on namespace configuration, as this is intended as a supplement to the information there. Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. The namespace is written in http://www.relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. If you are familiar with this format, you may wish to examine the https://fisheye.springsource.org/browse/spring-security/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc[schema file] directly.