eclipse-ee4j
[6.2.3] Request login/logout/relogin fails to load roles (isUserInRole)
Hello,
By making some tests to upgrade from Payara 5/Java EE 8 to GlassFish 6.2.3/JakartaEE 9.1, we hit a strange bug with HttpServletRequest.login(user,pass) and HttpServletRequest.isUserInRole(role). Even if the login works after a logout, it seems the isUserInRole returns always false.
Here is some code snippet that we have:
request.login(myUser, myPassword); //ok
request.isUserInRole("ADMIN"); //true
//...
request.logout(); //principal is reset
//...
request.login(myUser, myPassword); //ok
request.isUserInRole("ADMIN"); //false => should (still) be true
After diving in the GlassFish's code, we can find out that during the logout, PolicyContext.setContextId(null) is invoked (however the context is not set during login). Hence, any futher invokation of isUserInRole does not work because the context id is needed.
We are using a simple JDBC Realm and there is no change in the user/roles between the first and second calls. All the invokations are in the same thread.
Here is a working workaround, however seems (very) hacky because we have to use GlassFish internal classes:
String ctxId = PolicyContext.getContextId();
request.login(myUser, myPassword); //ok
request.isUserInRole("ADMIN"); //true
//...
request.logout(); //principal is reset
//...
PolicyContext.setContextId(ctxId);
request.login(myUser, myPassword); //ok
request.isUserInRole("ADMIN"); //true
That was working with Payara 5, but wasn't tested in previous version of GlassFish.
Environment Details
- GlassFish Version: 6.2.3 (glassfish-embedded-all)
- JDK version: 17.0.1
- OS: Linux Debian
- Database: H2
