Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix principal in Jakarta SecurityContext when using SSO #25356

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix principal in Jakarta SecurityContext when using SSO #25356

wants to merge 3 commits into from

Conversation

OndroMih
Copy link
Contributor

@OndroMih OndroMih commented Feb 1, 2025

WebPrincipal was not serializable because of this fix: #25290, which caused exceptions in SSO mechanism, like this:

java.lang.IllegalStateException: java.io.NotSerializableException: java.lang.ThreadLocal
	at org.glassfish.web.ha.authenticator.HASingleSignOnEntry.convertToByteArray(HASingleSignOnEntry.java:167)
...
Caused by: java.io.NotSerializableException: java.lang.ThreadLocal
...
	at java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:358)
	at org.glassfish.web.ha.authenticator.HASingleSignOnEntry.convertToByteArray(HASingleSignOnEntry.java:163)
	... 33 more

This PR moves the thread local variable to the static context so that it's not serialized together with securityContext instance. The value is only relevant within a scope of a specific request, and thus within a specific thread, so it doesn't have to be attached to a specific security context instance.

@OndroMih
Fix WebPrincipal not serializable.
d132866 
Because of a thread-local field in the securityContext field.
@OndroMih OndroMih force-pushed the ondromih-sso-issue branch 2 times, most recently from 21241b9 to 104c9c9 Compare February 1, 2025 17:22
@dmatej dmatej added this to the 7.0.23 milestone Feb 4, 2025
@dmatej dmatej added the bug Something isn't working label Feb 4, 2025
@OndroMih
Fix WebPrincipal not serializable - tests
073f35d 
Add tests for Jakarta Security authentication
- test for a custom principal
- test for serialization of the internal securityContext, which is transferred across SSO instances

Some refactoring
- remove redundant empty lines from SimpleMultiRoleMappingTest
- add an alternative to test HTTP resources with Java Http Client to GlassFishTestEnvironment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmatej dmatej dmatej left review comments

@pzygielo pzygielo pzygielo left review comments

@hs536 hs536 hs536 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
7.0.23
Development

Successfully merging this pull request may close these issues.
4 participants
@OndroMih @dmatej @pzygielo @hs536