I have a Jakarta-based web app deployed in Glassfish 7.0.16. Currently, I'm implementing Jakarta Security with user-role from DB. That works fine until the client-side execute multiple ajax requests at the same time, it starts responding 403 forbidden beginning from 2° or 3° ajax request. Actually, it occurs sometimes around 3 of 10 times.
I've tried to change security settings as <security-role>
in web.xml, @ServletSecurity
in Servlet file, and @inject SecurityContext
into Servlet class
I removed @ServletSecurity
in my Servlet class and wrote a filter, where I inject SecurityContext
and checks as follow:
public class AuthorizationFilter implements Filter {
@Inject
SecurityContext sc;
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (req.isUserInRole("ROLE_A") || sc.isCallerInRole("ROLE_A")) {
doChain(request, response);
} else {
// log info about Principal and session attributes
}
}
}
Like I mentioned above, if the client-side make 6 simultaneously ajax requests, one of them will respond 403 forbidden. Checking the generated log within else
fragment, all session attributes and Principal are there like the another 5 ajax requests.
Some idea of what it is happening?
This looks like the known issue already reported for GlassFish. I think I found a fix for it, with this change: https://github.com/eclipse-ee4j/glassfish/issues/25141.
Watch for the new GlassFish version which should bring the fix.