Search code examples
javaajaxjakarta-eeglassfishjakarta-ee-security-api

Response 403 forbidden at simultaneously ajax request using Jakarta EE and Glassfish Server


I have a Jakarta-based web app deployed in Glassfish 7.0.16. Currently, I'm implementing Jakarta Security with user-role from DB. That works fine until the client-side execute multiple ajax requests at the same time, it starts responding 403 forbidden beginning from 2° or 3° ajax request. Actually, it occurs sometimes around 3 of 10 times.

I've tried to change security settings as <security-role> in web.xml, @ServletSecurity in Servlet file, and @inject SecurityContext into Servlet class

I removed @ServletSecurity in my Servlet class and wrote a filter, where I inject SecurityContext and checks as follow:

public class AuthorizationFilter implements Filter {

 @Inject
 SecurityContext sc;

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {

  HttpServletRequest req = (HttpServletRequest) request;
  HttpServletResponse res = (HttpServletResponse) response;

  if (req.isUserInRole("ROLE_A") || sc.isCallerInRole("ROLE_A")) {
   doChain(request, response);
  } else {
   // log info about Principal and session attributes
  }
 }
}

Like I mentioned above, if the client-side make 6 simultaneously ajax requests, one of them will respond 403 forbidden. Checking the generated log within else fragment, all session attributes and Principal are there like the another 5 ajax requests.

Some idea of what it is happening?


Solution

  • This looks like the known issue already reported for GlassFish. I think I found a fix for it, with this change: https://github.com/eclipse-ee4j/glassfish/issues/25141.

    Watch for the new GlassFish version which should bring the fix.