Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-2110

MPJWTProducer's currentPrincipal holding old values

    Details

      Description

      I am running WildFly Swarm with MicroProfile JWT authentication. And I noticed some really strange behavior after executing multiple requests on the system.

      In some of my resources I inject the subject claim:

          @Inject
          @Claim(standard = Claims.sub)
          private String subject;
      

      If the Authorization header is present and its value is valid, this gets injected with the subject attribute. Otherwise it is null.

      What I noticed is that after my system runs for some time, there are occasional cases when a random subject is injected when the Authorization header is empty. And the values are really random: in my system I had more than one user access it and each time I do another request, I get a different subject.

      So I looked through the JWT extension code and came to this class: https://github.com/thorntail/thorntail/blob/master/fractions/microprofile/microprofile-jwt/src/main/java/org/wildfly/swarm/microprofile/jwtauth/deployment/auth/cdi/MPJWTProducer.java

      I noticed that it is application scoped bean and the JWT token is preserved in a thread local field. It is set by an external party by calling a public static method.

      So my suspicion is that the external party calls the setter when the Authorization header is present and valid. But otherwise it doesn't call anything to remove it. So if the thread served a request with a valid header and then serves another request with a missing one, the second time I get the first request's subject injected.

      I added some logging to my system and found in the logs exactly what I suspected.

      So could that be the problem? Should the "external party" that sets the currentPrinciple if the JWT is fine, remove it otherwise?

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mszynkie Michal Szynkiewicz
                  Reporter:
                  ivan_stefanov Ivan St. Ivanov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: