Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-15859

Re-authentication after reboot, even though HttpSession are persisted

XMLWordPrintable

    • Hide

      Run add-user command inside bin folder to add an application user.
      Run wildfly with the provided standalone-full-text.xml.
      Deploy the provided ee-security.war.
      Make a get request to http://localhost:8080/ee-security/secured (via browser or curl) and specify X-Username and X-Password headers with the previously chosen values.
      A JSESSIONID is returned and can be used instead of X-Username and X-Password to stay logged in.
      If you reboot the application server the JSESSIONID is no more valid and you need to login again.

      The war is built from this official example :
      https://github.com/wildfly/quickstart/tree/main/ee-security
      But it has been modified to have @AutoApplySession annotation on the TestAuthenticationMechanism.
      Anyway I also attached the source.

      This issue affects both HA and non HA profiles.

      In the provided standalone.xml HttpSessions are persisted via jdbc-store using an h2 file datasource.
      I also reproduced the issue with mysql datasources.

      I don't know what broke this, but for sure this worked previously on Wildfly 21 using old pickebox/legacy security subsystem.

      Show
      Run add-user command inside bin folder to add an application user. Run wildfly with the provided standalone-full-text.xml. Deploy the provided ee-security.war. Make a get request to http://localhost:8080/ee-security/secured (via browser or curl) and specify X-Username and X-Password headers with the previously chosen values. A JSESSIONID is returned and can be used instead of X-Username and X-Password to stay logged in. If you reboot the application server the JSESSIONID is no more valid and you need to login again. The war is built from this official example : https://github.com/wildfly/quickstart/tree/main/ee-security But it has been modified to have @AutoApplySession annotation on the TestAuthenticationMechanism. Anyway I also attached the source. This issue affects both HA and non HA profiles. In the provided standalone.xml HttpSessions are persisted via jdbc-store using an h2 file datasource. I also reproduced the issue with mysql datasources. I don't know what broke this, but for sure this worked previously on Wildfly 21 using old pickebox/legacy security subsystem.

      Persisted sessions via jdbc-store are lost after reboot.

      Session is not lost, but user is forced to reauthenticate, even though @AutoApplySession was used.

        1. ee-security.war
          9 kB
          Alessandro Moscatelli
        2. ee-security-1.war
          10 kB
          Alessandro Moscatelli
        3. standalone-full-ha-test.xml
          37 kB
          Alessandro Moscatelli
        4. standalone-full-test.xml
          32 kB
          Alessandro Moscatelli
        5. standalone-full-test-1.xml
          32 kB
          Alessandro Moscatelli

            pferraro@redhat.com Paul Ferraro
            alessandro.moscatelli@live.com Alessandro Moscatelli (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: