wildfly cluster login with java ee 8 security-api

Question

we are trying to create a wildfly 16 High Available cluster with JEE8 Security API. Project works as standalone application well but not as cluster! We are getting a infispan NotSerializableException.

We have a wildfly 16 standalone application with jsf 2.3, CDI 2.0 and Soteria. This is running fine as standalone. Now we want to run this configuration as standalone wildfly-cluster. The wildflys are comming up and they know each other.

But when as we call our application we get the following exception: java.lang.IllegalArgumentException: org.infinispan.commons.marshall.NotSerializableException: org.glassfish.soteria.servlet.RequestData

If needed we can post the whole stacktrace.

If we would remove "distributable" from web.xml, it would work without any exception but then we are not able to share session between instances.

Are we missing some configuration? Or do we have another missunderstanding?

Thank You for your help


@AutoApplySession 
@LoginToContinue(loginPage = "/login.xhtml", errorPage = "", useForwardToLogin = true)
@ApplicationScoped
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {

    @Inject
    private CustomIdentityStore identityStore;

    ...
}

@Model
public class LoginBean implements Serializable {

    public void login() {
        FacesContext context = FacesContext.getCurrentInstance();
        Credential credential = new CustomCredential(username, password);

        AuthenticationStatus status = securityContext.authenticate(
                (HttpServletRequest) externalContext.getRequest(),
                (HttpServletResponse) externalContext.getResponse(),
                withParams()
                        .credential(credential)
                        .newAuthentication(false)
                        .rememberMe(true)
        );
    ...
    }
}


web.xml:
...
distributable
...

Edit from 3 july 2019:

As I can see now, the problem is in the Soteria Impementation. I found the following commit on github: "https://github.com/eclipse-ee4j/soteria/commit/fd9a29c4452f99b426dabc296ec759d36766a56f". The question for me is now, when do this go alive? What are the alternatives for it, to achieve a role-based access to the resources and to redirect unauthenticated users to an custom login page?

The answer, is sort of right. But does it work when you don't use jsf? — Kukeltje, Jul 02 '19 at 17:36
@alechner did you find a solution to this problem? we are getting the same exception (soteria jar bundled with Wildfly 26) — DaveB, Sep 12 '22 at 15:00

user2814332 · Answer 1 · 2019-07-04T09:30:04.590

1

It seems like an object of type org.glassfish.soteria.servlet.RequestData needs to be replicated among the serveral instances of your cluster. The replication works by serializing the object on one side and deserializing it again on the other. This explains why the code works in a non-cluster environment.

This class, however, seems not to implement java.io.Serializable. Are you using RequestData in any object which is session-scoped?

edited Jul 04 '19 at 09:30

answered Jul 02 '19 at 13:36

user2814332

68
3

@alechner: the last sentence in the answer is still valid, regardless of the 'bug'... It should not be there in any of your longer scoped code. If so, make it transient – Kukeltje Jul 03 '19 at 11:07
@Kukeltje: i have no access to RequestData, therefore i can make it neither serializable nor transient. – alechner Jul 03 '19 at 11:12
No you make the USAGE of it transient (the assigment) **That** you do in the location in your code where it is used... Or if it is indirectly used, make the usage of the object that uses it transient... – Kukeltje Jul 03 '19 at 11:49
@Kukeltje: the code will be called indirectly over an annotation (@LoginToContinue), as I understand it. I do not have any direct useage of it. I cannot make CustomAuthenticationMechanism transient. – alechner Jul 03 '19 at 12:16
_"I cannot make CustomAuthenticationMechanism transient. "_ Why not? Then try making it transient IN the `CustomAuthenticationMechanism`... – Kukeltje Jul 03 '19 at 13:06
@alechner: The `LoginToContinueInterceptor` really seems to [add `RequestData` to the session](https://github.com/eclipse-ee4j/soteria/blob/84138dba5adcfeb314b1bb07117532c1cae5dc43/impl/src/main/java/org/glassfish/soteria/cdi/LoginToContinueInterceptor.java#L351), which is kind of unfortunate. As you've already mentioned, the commit is still unreleased. Would it be a possibility that you handle the login yourself instead of using `@LoginToContinue`? – user2814332 Jul 04 '19 at 09:22
Wouldn't be easier to simply override this with a patch instead of a workaround untill it is released? You can easilly override the logic with a local patch... – Kukeltje Jul 04 '19 at 10:29
Hi, we have cloned the https://github.com/eclipse-ee4j/soteria.git project to replace the javax.security.enterprise-api-1.0.jar file located in wildfly. The Problem we have is to build the projet, because it has missing dependencies. So I think we will wait or try another solution, when there is more time for it. Thank you all for your help. – alechner Jul 08 '19 at 09:28

wildfly cluster login with java ee 8 security-api

1 Answers1