-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sometimes 403 Forbidden server response when websocket message call ajax update with identity store #25141
Comments
Thanks for the report. A first question; does this happen with any two browsers, or specifically with chrome and edge? What is the approximate frequency of sometimes failing? Eg in the order of 1 in 100 or 1 in 10 or so? |
It's not specifically Chrome, I also have an error with Firefox I've test with WildFly 33.0.1, and not problem For test : |
After using glassfish since 2006, I was forced to adapt my projects for WildFly. I did not have time to do further research to target the code of the server concerned. For me, the problem happens when the request uses a different thread from the http pool between two calls. The TestSession project allows you to reproduce the problem quickly with opening two browsers. |
The same issue also reported here: https://stackoverflow.com/questions/79070073/response-403-forbidden-at-simultaneously-ajax-request-using-jakarta-ee-and-glass |
Environment Details
Problem DescriptionIn my case, it happend between 3-4 of 10 "simultaneous" requests. I guess, it's triggering 403 forbbiden , cause the http session is detected as a new one, without any previous security applied, and without session attributes neither. Temporal solutionIn a request filter (before RESTful service), it checks authorization with If you have any other question, I'll be here. |
Environment Details
Problem Description
Sometimes server return 403 forbidden
I add RealmAdapter log:
Normal trace:
RealmAdapter.findPrincipalWrapper
principal:jakarta.security.enterprise.CallerPrincipal@31614fef
sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@31614fef|#]
RealmAdapter.findPrincipalWrapper
principal:jakarta.security.enterprise.CallerPrincipal@41e82e26
sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@41e82e26|#]
sessionBean.getText(): TEST1|#]
sessionBean.getText(): TEST2|#]
When 403 forbidden:
RealmAdapter.findPrincipalWrapper
principal:jakarta.security.enterprise.CallerPrincipal@41e82e26
sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@31614fef|#]
RealmAdapter.findPrincipalWrapper
principal:jakarta.security.enterprise.CallerPrincipal@31614fef
sessionPrincipal:jakarta.security.enterprise.CallerPrincipal@31614fef|#]
RealmAdapter.validate sessionSubject == null|#]
sessionBean.getText(): TEST1|#]
Server return 403 for TEST2,
In fonction RealmAdapter.findPrincipalWrapper caller is TEST2 and sessionPrincipal is TEST1
Steps to reproduce
TestSession.zip
Compile TestSession project
Deploy TestSession
Open chrome explorer and developper tools, call http://127.0.0.1:8080/test/
login with TEST1 / TEST1
Open edge explorer and developper tools, call http://127.0.0.1:8080/test/
login with TEST2 / TEST2
Sometimes server return 403 forbidden
Impact of Issue
Client not refresh when server return 403
The text was updated successfully, but these errors were encountered: