Open Dev-ALPM opened 1 month ago
Thanks for the report. A first question; does this happen with any two browsers, or specifically with chrome and edge?
What is the approximate frequency of sometimes failing? Eg in the order of 1 in 100 or 1 in 10 or so?
It's not specifically Chrome, I also have an error with Firefox
I've test with WildFly 33.0.1, and not problem testSession-WildFly.zip
For test : start wildfly standalone with -c standalone-full.xml parameter Disable Integrated JASPI under management console : Configuration / Subsytem / Web / Application Security Domain mvn install wildfly:deploy
After using glassfish since 2006, I was forced to adapt my projects for WildFly.
I did not have time to do further research to target the code of the server concerned.
For me, the problem happens when the request uses a different thread from the http pool between two calls.
The TestSession project allows you to reproduce the problem quickly with opening two browsers.
The same issue also reported here: https://stackoverflow.com/questions/79070073/response-403-forbidden-at-simultaneously-ajax-request-using-jakarta-ee-and-glass
Environment Details
Problem Description
Sometimes server return 403 forbidden
I add RealmAdapter log:
Normal trace: RealmAdapter.findPrincipalWrapper principal:jakarta.security.enterprise.CallerPrincipal@31614fef sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@31614fef|#] RealmAdapter.findPrincipalWrapper principal:jakarta.security.enterprise.CallerPrincipal@41e82e26 sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@41e82e26|#] sessionBean.getText(): TEST1|#] sessionBean.getText(): TEST2|#]
When 403 forbidden: RealmAdapter.findPrincipalWrapper principal:jakarta.security.enterprise.CallerPrincipal@41e82e26 sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@31614fef|#] RealmAdapter.findPrincipalWrapper principal:jakarta.security.enterprise.CallerPrincipal@31614fef sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@31614fef|#] RealmAdapter.validate sessionSubject == null|#] sessionBean.getText(): TEST1|#]
Server return 403 for TEST2, In fonction RealmAdapter.findPrincipalWrapper caller is TEST2 and sessionPrincipal is TEST1
Steps to reproduce
TestSession.zip
Compile TestSession project Deploy TestSession
Open chrome explorer and developper tools, call http://127.0.0.1:8080/test/ login with TEST1 / TEST1
Open edge explorer and developper tools, call http://127.0.0.1:8080/test/ login with TEST2 / TEST2
Sometimes server return 403 forbidden
Impact of Issue
Client not refresh when server return 403