Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected JSESSIONID returned from Rest endpoints #29751

Open
amasson88 opened this issue Sep 30, 2024 · 1 comment · May be fixed by #29790
Open

Unexpected JSESSIONID returned from Rest endpoints #29751

amasson88 opened this issue Sep 30, 2024 · 1 comment · May be fixed by #29790
Assignees
@una-tapa
Labels
release bug This bug is present in a released version of Open Liberty team:Core Security

Comments

@amasson88
Copy link

Describe the bug

Responses from a simple Jakarta Rest endpoint always contain a JSESSIONID cookie if server.xml contains

<feature>audit-1.0</feature>

...even if the endpoint implementation doesn't use HttpSession.
(Without audit-1.0, no JSESSIONID is returned as expected.)

Steps to Reproduce

Implement a simple Rest endpoint like

@RequestScoped
@Path("/testclass")
public class MyTestService {

    @GET
    @Path("/testmethod")
    public String myTest() throws Exception {
         return "SUCCESS";
    }
}

Ensure <feature>audit-1.0</feature> is in server.xml.

Call https://localhost:9445/testclass/testmethod, check response Cookies.

Expected behavior

The response should not contain a new JSESSIONIDcookie.

Diagnostic information:

  • OpenLiberty Version: 24.0.0.9
  • Affected feature(s): audit-1.0
  • Java Version: semeru-21.0.4
  • server.xml configuration
   <featureManager>
       <feature>microProfile-5.0</feature>
       <feature>transportSecurity-1.0</feature> 
       <feature>beanValidation-3.0</feature>
       <feature>socialLogin-1.0</feature>
       <feature>openidConnectClient-1.0</feature>
       <feature>audit-1.0</feature>
       <feature>jdbc-4.2</feature>
       <feature>persistence-3.0</feature>
       <feature>requestTiming-1.0</feature>
   </featureManager>
@amasson88 amasson88 added the release bug This bug is present in a released version of Open Liberty label Sep 30, 2024
@una-tapa una-tapa self-assigned this Sep 30, 2024
@una-tapa
Copy link
Member

una-tapa commented Oct 3, 2024

Found a possible cause in the following and a couple other places.

https://github.com/OpenLiberty/open-liberty/blob/integration/dev/com.ibm.ws.security.audit.source/src/com/ibm/ws/security/audit/source/utils/AuditUtils.java#L87

Planning to provide a test patch to @amasson88 for his feedback. Targeting sometime next week.

@una-tapa una-tapa linked a pull request Oct 4, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@una-tapa una-tapa

Labels
release bug This bug is present in a released version of Open Liberty team:Core Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update audit code to ensure it won't create a new session una-tapa/open-liberty
3 participants
@amasson88 @una-tapa @LibbyBot