Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jakarta Security: SecurityContext roles intermittently lost on page reload or navigation #25206

Open
riyadomf opened this issue Nov 6, 2024 · 1 comment
Open

Jakarta Security: SecurityContext roles intermittently lost on page reload or navigation #25206

riyadomf opened this issue Nov 6, 2024 · 1 comment

Comments

@riyadomf
Copy link

riyadomf commented Nov 6, 2024

Environment Details

  • GlassFish Version (and build number): Eclipse GlassFish 7.0.19 and 7.0.15 platform (tested on both)
  • JDK version: 17
  • Jakarta EE version: Jakarta EE 10
  • OS: Ubuntu 22.04 and Ubuntu 24.04
  • Database: PostgreSQL

Problem Description

When reloading or navigating between pages in a Jakarta EE application running on GlassFish, SecurityContext roles unexpectedly disappear, resulting in inconsistent access control behavior and unexpected 403 Forbidden errors. The user principal (securityContext.getCallerPrincipal()) is still present, but roles are sometimes unavailable, causing access restrictions even for authenticated users with valid roles.

Steps to reproduce

  1. Authenticate a user with specific roles.
  2. Navigate between pages or refresh the page.
  3. Observe that suddenly securityContext.getCallerPrincipal() remains non-null, but role-checking methods like securityContext.isCallerInRole("roleName") return false for roles that should be active. Similarly securityContext.getAllDeclaredRoles() returns only ** role, while all other roles temporarily disappear. However, The roles reappear and function correctly upon the next reload.

Impact of Issue

This issue disrupts role-based access control in applications, causing intermittent authorization failures during navigation or page refreshes. As a result, users may lose access to certain features or pages even though they are authenticated, leading to inconsistent user experiences and potential security concerns. This behavior is particularly problematic for applications relying on stable, role-based permissions across sessions.

Type: Bug
Component: Security / Authentication
Priority: High
@OndroMih
Copy link
Contributor

OndroMih commented Nov 9, 2024

Hi @riyadomf, do you have a reproducer application for this? Can you, please, share it with us or prepare a simple application on which you can reproduce the issue? It would greatly help us investigate the issue and if it's caused by a bug, fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OndroMih @riyadomf