I am running WildFly Swarm with MicroProfile JWT authentication. And I noticed some really strange behavior after executing multiple requests on the system.
In some of my resources I inject the subject claim:
If the Authorization header is present and its value is valid, this gets injected with the subject attribute. Otherwise it is null.
What I noticed is that after my system runs for some time, there are occasional cases when a random subject is injected when the Authorization header is empty. And the values are really random: in my system I had more than one user access it and each time I do another request, I get a different subject.
So I looked through the JWT extension code and came to this class: https://github.com/thorntail/thorntail/blob/master/fractions/microprofile/microprofile-jwt/src/main/java/org/wildfly/swarm/microprofile/jwtauth/deployment/auth/cdi/MPJWTProducer.java
I noticed that it is application scoped bean and the JWT token is preserved in a thread local field. It is set by an external party by calling a public static method.
So my suspicion is that the external party calls the setter when the Authorization header is present and valid. But otherwise it doesn't call anything to remove it. So if the thread served a request with a valid header and then serves another request with a missing one, the second time I get the first request's subject injected.
I added some logging to my system and found in the logs exactly what I suspected.
So could that be the problem? Should the "external party" that sets the currentPrinciple if the JWT is fine, remove it otherwise?