Jakarta Security: SecurityContext roles intermittently lost on page reload or navigation

[riyadomf]

Environment Details

• GlassFish Version (and build number): Eclipse GlassFish 7.0.19 and 7.0.15 platform (tested on both)
• JDK version: 17
• Jakarta EE version: Jakarta EE 10
• OS: Ubuntu 22.04 and Ubuntu 24.04
• Database: PostgreSQL

---

Problem Description

When reloading or navigating between pages in a Jakarta EE application running on GlassFish, SecurityContext roles unexpectedly disappear, resulting in inconsistent access control behavior and unexpected 403 Forbidden errors. The user principal (securityContext.getCallerPrincipal()) is still present, but roles are sometimes unavailable, causing access restrictions even for authenticated users with valid roles.

Steps to reproduce

1. Authenticate a user with specific roles.
2. Navigate between pages or refresh the page.
3. Observe that suddenly securityContext.getCallerPrincipal() remains non-null, but role-checking methods like securityContext.isCallerInRole("roleName") return false for roles that should be active. Similarly securityContext.getAllDeclaredRoles() returns only ** role, while all other roles temporarily disappear. However, The roles reappear and function correctly upon the next reload.

Impact of Issue

This issue disrupts role-based access control in applications, causing intermittent authorization failures during navigation or page refreshes. As a result, users may lose access to certain features or pages even though they are authenticated, leading to inconsistent user experiences and potential security concerns. This behavior is particularly problematic for applications relying on stable, role-based permissions across sessions.

Type: Bug
Component: Security / Authentication
Priority: High

[OndroMih]

Hi @riyadomf, do you have a reproducer application for this? Can you, please, share it with us or prepare a simple application on which you can reproduce the issue? It would greatly help us investigate the issue and if it's caused by a bug, fix it.

[OndroMih]

Hi @riyadomf, would you be able to create a simple reproducer that can be easily used to reproduce the issue?

[hberton]

Environment Details

• GlassFish Version (and build number): Eclipse GlassFish 7.0.19 and 7.0.15 platform (tested on both)
• JDK version: 17
• Jakarta EE version: Jakarta EE 10
• OS: Ubuntu 22.04 and Ubuntu 24.04
• Database: PostgreSQL

Problem Description

When reloading or navigating between pages in a Jakarta EE application running on GlassFish, SecurityContext roles unexpectedly disappear, resulting in inconsistent access control behavior and unexpected 403 Forbidden errors. The user principal (securityContext.getCallerPrincipal()) is still present, but roles are sometimes unavailable, causing access restrictions even for authenticated users with valid roles.

Steps to reproduce

1. Authenticate a user with specific roles.
2. Navigate between pages or refresh the page.
3. Observe that suddenly securityContext.getCallerPrincipal() remains non-null, but role-checking methods like securityContext.isCallerInRole("roleName") return false for roles that should be active. Similarly securityContext.getAllDeclaredRoles() returns only ** role, while all other roles temporarily disappear. However, The roles reappear and function correctly upon the next reload.

Impact of Issue

This issue disrupts role-based access control in applications, causing intermittent authorization failures during navigation or page refreshes. As a result, users may lose access to certain features or pages even though they are authenticated, leading to inconsistent user experiences and potential security concerns. This behavior is particularly problematic for applications relying on stable, role-based permissions across sessions.

Type: Bug Component: Security / Authentication Priority: High

+1

[riyadomf]

I did not encounter this issue in GlassFish 7.0.8. However, I experienced it in versions 7.0.14, 7.0.15, and 7.0.19.