Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-18650

Security roles lost following failover

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 29.0.1.Final, 30.0.0.Final, 30.0.1.Final, 31.0.0.Final, 31.0.1.Final, 34.0.0.Final
    • Clustering, Security, Web (Undertow)
    • None
    • Hide
      1. Deploy the attached webapp, module, and configuration to two, standalone (clustered) Wildfly servers.
      2. Open your browser and go to http://<server1>/example/restricted-user-info.jsp
      3. Login with username "jdoe" and password "jdoe" (any username/password combo where username=password will work). Once logged in, you should see a page listing the username and security roles.
      4. Open another browser tab and go to http://<server2>/example/restricted-user-info.jsp

      This leads to a 403 (Forbidden) error because you no longer have the necessary security roles. You can point your browser to http://<server2>/example/user-info.jsp to verify that the user is still known, but all security roles have been removed. Additionally, this user info is, again, replicated back to server 1, wiping out the security roles there as well.

      Show
      Deploy the attached webapp, module, and configuration to two, standalone (clustered) Wildfly servers. Open your browser and go to http://<server1>/example/restricted-user-info.jsp Login with username "jdoe" and password "jdoe" (any username/password combo where username=password will work). Once logged in, you should see a page listing the username and security roles. Open another browser tab and go to http://<server2>/example/restricted-user-info.jsp This leads to a 403 (Forbidden) error because you no longer have the necessary security roles. You can point your browser to http://<server2>/example/user-info.jsp to verify that the user is still known, but all security roles have been removed. Additionally, this user info is, again, replicated back to server 1, wiping out the security roles there as well.
    • ---
    • ---

      When using a JAAS security realm, security roles are lost after failover.

      Following login, a user may access resources according to his/her role(s). However, after failing over to another server in the cluster, those roles are lost and the user no longer has permission to access anything. Additionally, because the user info is replicated back to the first server, the roles associated with the user on that server are also wiped out.

        1. example-webapp-and-config.zip
          14 kB
        2. standalone-ha.xml
          34 kB
        3. WFLY-18650.diff
          5 kB

              rhn-support-pesilva Pedro Silva
              kevinwimmer@situsamc.com Kevin Wimmer (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: