OndroMih
commented
5 days ago Hi @riyadomf, do you have a reproducer application for this? Can you, please, share it with us or prepare a simple application on which you can reproduce the issue? It would greatly help us investigate the issue and if it's caused by a bug, fix it.
Environment Details
Problem Description
When reloading or navigating between pages in a
Jakarta EEapplication running onGlassFish,SecurityContextroles unexpectedly disappear, resulting in inconsistent access control behavior and unexpected403Forbidden errors. The user principal (securityContext.getCallerPrincipal()) is still present, but roles are sometimes unavailable, causing access restrictions even for authenticated users with valid roles.Steps to reproduce
securityContext.getCallerPrincipal()remains non-null, but role-checking methods likesecurityContext.isCallerInRole("roleName")return false for roles that should be active. SimilarlysecurityContext.getAllDeclaredRoles()returns only**role, while all other roles temporarily disappear. However, The roles reappear and function correctly upon the next reload.Impact of Issue
This issue disrupts role-based access control in applications, causing intermittent authorization failures during navigation or page refreshes. As a result, users may lose access to certain features or pages even though they are authenticated, leading to inconsistent user experiences and potential security concerns. This behavior is particularly problematic for applications relying on stable, role-based permissions across sessions.
Type: Bug Component: Security / Authentication Priority: High