security using RolesAllowed not always working

[eduarddrenth]

Description

---

Context

same application (exact same war), same payara version, same java version, identical, automated payara configuration

Problem

on one machine RolesAllowed works on the other I am allowed updates without the correct role.

Expected Outcome

When I do not have the correct role I am not allowed to execute annotated method

Current Outcome

When I do not have the correct role I am allowed to execute annotated method

Steps to reproduce (Only for bug reports)

No steps yet, but relevant snippets:

In Controller:

    @Inject
    @Override
    protected void initCrudWriteService(@StdwCrudBean Auditing crudWriteService) {


@Local({CrudReadService.class, Auditing.class, StdwCrudService.class})
@Stateless
@StdwCrudBean
public class CrudServiceBean extends AbstractCrudServiceEnvers implements StdwCrudService {
.
.
    @Transactional
    @RolesAllowed(EDITORROLE)
    @Override
    public <T extends Serializable> T update(T t) {
.
.
        return super.update(t); // super code see below
    }
.
.
    @Transactional
    @TransactionAttribute
    @Override
    @RolesAllowed(value = {EDITORROLE})
    public <T extends Serializable> T update(T t) {
            return getEntityManager().merge(t);
    }

servlet setup

Environment

• Payara Version: 5.181
• Edition: full
• JDK Version: 1.8.0_171-8u171-b11-0ubuntu0.16.04.1-b11
• Operating System: both environments ubuntu 16.04
• Operating System: linux 4.4.0-119-generic for working environment
• Operating System: linux 2.6.32-042stab128.2 for not working environment
• Database: MySQL

[eduarddrenth]

The file realm:

[eduarddrenth]

Now, after again a lot of testing on the problematic server, deploying the same war that did not work before, all of a sudden it works as expected. Caching server side of some form?

[eduarddrenth]

Perhaps these are of influence?

set configs.config.server-config.admin-service.das-config.autodeploy-enabled=false
set configs.config.server-config.admin-service.das-config.dynamic-reload-enabled=false

Thing is how it stands I cannot be sure security is ok, I have to test each deployment and if it doesn't work I don't have a fix.

[smillidge]

Can you provide a reproducible test case?

[eduarddrenth]

No, that's the frustrating thing, all I can do is upload the war that I saw the problem with and scripts to make it run, it will be like the reproducer in #2625. If that's ok I can provide that, but I suspect it will just run fine.

[smillidge]

I will close now. If you can create a reusable test case then please indicate below and we will reopen. Alternatively if a reproducer is difficult this can be investigated under a support contract with Payara.

[eduarddrenth]

Ok, sorry I left it open, haven't seen anything unusual anymore...

[smillidge]

glad to hear it is working.