payara / Payara

Payara Server is an open source middleware platform that supports reliable and secure deployments of Java EE (Jakarta EE) and MicroProfile applications in any environment: on premise, in the cloud or hybrid.
http://www.payara.fish
Other
886 stars 307 forks source link

Bug Report: HTTP 403 Forbidden response for correctly authenticated and authorized calls to protected JAX-RS resource/FISH-7515 #6145

Open TheOnlyAl opened 1 year ago

TheOnlyAl commented 1 year ago

Brief Summary

If you have a protected Web Resource and are Logged in using an authentication mechanism like @CustomFormAuthenticationMechanismDefinition, you can sometimes get a HTTP 403 Foprbidden status code if the server is under load.

Additional information

This is probably some kind of concurrency issue.

After further investigation it might be some problem with the @AutoApplySession functionality which uses the following interceptor: AutoApplySessionInterceptor.java

The problem seems to be that the actual additional information which is returned is not correct for a call under load: BaseContainerCallbackHandler.java

The SecurityContext.getCurrent().getAdditionalPrincipal() will return null for the calls which result in a 403 unauthorized. And since the group information seems to be part of the additional information this is a problem.

There seems to be an really old bug with a similar problem. https://github.com/payara/Payara/issues/751

Expected Outcome

As long as you are logged in correctly, you should not get a HTTP 403 Foprbidden.

Current Outcome

Sometimes calls will return with HTTP 403 Foprbidden while the server is under load.

Reproducer

I created a project with files to reproduce this: https://github.com/TheOnlyAl/payara-jaspic-bug

The current code is written for Java EE 8 and can be tested on Payara 5. If needed i could create a branch to check this for Jakarta EE 10 with Payara 6.

Operating System

Docker Image on Windows 10 using WSL 2

JDK Version

Checked for JDK 8 (Payara 5.2022.5) and JDK 17 (Payara 6.2021.1)

Payara Distribution

Payara Server Full Profile

TheOnlyAl commented 1 year ago

Hi.

Just wanted to know if you had success in replicating the problem or if i maybe can help in any way?

shub8968 commented 1 year ago

Hi @TheOnlyAl,

I have escalated this to our platform development team as FISH-7515.