Payara icon indicating copy to clipboard operation
Payara copied to clipboard
verified publisher icon payara

Bug Report: Payara Cluster forgets roles when using an HttpAuthenticationMechanism / FISH-7733

Open georgwolf opened this issue 2 years ago • 0 comments

Brief Summary

Security roles are lost when deploying a webapp using an HttpAuthenticationMechanism for authentication on a Payara cluster as soon as a request hits a different cluster member than a previous request.

Expected Outcome

Security roles are properly replicated and retained across cluster members.

Current Outcome

Security roles are lost and accessing secured pages returns a 403 error / request.isUserInRole(...) always return false if requests of a single session are answered by multiple cluster members. This only happens if the Jakarta Security API (i.e. an HttpAuthenticationMechanism) is used for authentication. The roles are retained if using a Payara security realm (e.g. the default file realm). Roles are also retained as long as all requests are answered by the same cluster member.

Reproducer

Reproducer project is available here: https://github.com/georgwolf/payara_cluster_demo

This uses Docker to start two Payara Micro instances and an Nginx proxy that will distribute requests round-robin to the two Payara instances. You can package the demo app and start the containers with mvn package docker:start. To stop them use mvn docker:stop

After the cluster is ready, navigate to http://localhost:8080/index.xhtml and authenticate using username 'test' and password 'password'. The index page will show some session and cluster info: grafik Now refresh the page and it will return a 403 instead (if not you may need to refresh the page repeatedly to hit the other cluster member).

I've also included the page again but as unathenticated at http://localhost:8080/na.xhtml. You can see there that the request.isUserInRole(...) calls now return false, i.e. security roles are lost, but the session and user principal itself are still there.

Compare this to the filerealm branch and the roles are retained even if multiple cluster members are hit.

Operating System

Windows 10 Pro

JDK Version

Zulu 11

Payara Distribution

Payara Micro, Payara Docker Image

georgwolf avatar Jul 20 '23 13:07 georgwolf