Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Payara Cluster forgets roles when using an HttpAuthenticationMechanism / FISH-7733 #6342

Open
georgwolf opened this issue Jul 20, 2023 · 0 comments
Open

Bug Report: Payara Cluster forgets roles when using an HttpAuthenticationMechanism / FISH-7733 #6342

georgwolf opened this issue Jul 20, 2023 · 0 comments
Assignees
@kalinchan
Labels
Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev Type: Bug Label issue as a bug defect

Comments

@georgwolf
Copy link

Brief Summary

Security roles are lost when deploying a webapp using an HttpAuthenticationMechanism for authentication on a Payara cluster as soon as a request hits a different cluster member than a previous request.

Expected Outcome

Security roles are properly replicated and retained across cluster members.

Current Outcome

Security roles are lost and accessing secured pages returns a 403 error / request.isUserInRole(...) always return false if requests of a single session are answered by multiple cluster members. This only happens if the Jakarta Security API (i.e. an HttpAuthenticationMechanism) is used for authentication. The roles are retained if using a Payara security realm (e.g. the default file realm). Roles are also retained as long as all requests are answered by the same cluster member.

Reproducer

Reproducer project is available here: https://github.com/georgwolf/payara_cluster_demo

This uses Docker to start two Payara Micro instances and an Nginx proxy that will distribute requests round-robin to the two Payara instances. You can package the demo app and start the containers with mvn package docker:start. To stop them use mvn docker:stop

After the cluster is ready, navigate to http://localhost:8080/index.xhtml and authenticate using username 'test' and password 'password'. The index page will show some session and cluster info:
grafik
Now refresh the page and it will return a 403 instead (if not you may need to refresh the page repeatedly to hit the other cluster member).

I've also included the page again but as unathenticated at http://localhost:8080/na.xhtml. You can see there that the request.isUserInRole(...) calls now return false, i.e. security roles are lost, but the session and user principal itself are still there.

Compare this to the filerealm branch and the roles are retained even if multiple cluster members are hit.

Operating System

Windows 10 Pro

JDK Version

Zulu 11

Payara Distribution

Payara Micro, Payara Docker Image
@georgwolf georgwolf added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect labels Jul 20, 2023
@kalinchan kalinchan changed the title Bug Report: Payara Cluster forgets roles when using an HttpAuthenticationMechanism Bug Report: Payara Cluster forgets roles when using an HttpAuthenticationMechanism / FISH-7733 Aug 14, 2023
@kalinchan kalinchan added Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels Aug 14, 2023
@Jarannn Jarannn mentioned this issue Aug 17, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kalinchan kalinchan

Labels
Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev Type: Bug Label issue as a bug defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@georgwolf @kalinchan