Merge pull request #24753 from arjantijms/ha_principal_from_app

Try the application classloader to restore the Principal for HA.

appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
  * Copyright 2004 The Apache Software Foundation
  *
@@ -251,7 +251,7 @@ public int invoke(Request request, Response response) throws IOException, Servle
         if (isVersioningSupported() && versionCookie != null) {
             version = Long.parseLong(versionCookie.getValue());
         }
-        SingleSignOnEntry entry = lookup(cookie.getValue(), version);
+        SingleSignOnEntry entry = lookup(cookie.getValue(), version, request.getContext().getLoader().getClassLoader());
         if (entry != null) {
             if (debug >= 1) {
                 String msg = MessageFormat.format(rb.getString(LogFacade.FOUND_CACHED_PRINCIPAL_AUTH_TYPE_INFO),
@@ -314,7 +314,7 @@ public void associate(String ssoId, long ssoVersion, Session session) {
             log(rb.getString(ASSOCIATE_SSO_WITH_SESSION_INFO));
         }
 
-        SingleSignOnEntry sso = lookup(ssoId, ssoVersion);
+        SingleSignOnEntry sso = lookup(ssoId, ssoVersion, null);
         if (sso != null) {
             session.setSsoId(ssoId);
             session.setSsoVersion(ssoVersion);
@@ -417,7 +417,7 @@ protected SingleSignOnEntry lookup(String ssoId) {
      * @param ssoId Single sign on identifier to look up
      * @param ssoVersion Single sign on version to look up
      */
-    protected SingleSignOnEntry lookup(String ssoId, long ssoVersion) {
+    protected SingleSignOnEntry lookup(String ssoId, long ssoVersion, ClassLoader appClassLoader) {
         return lookup(ssoId);
     }
 

appserver/web/web-glue/src/main/java/com/sun/enterprise/security/web/GlassFishSingleSignOn.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -374,7 +375,7 @@ public int invoke(Request request, Response response)
         if (isVersioningSupported() && versionCookie != null) {
             version = Long.parseLong(versionCookie.getValue());
         }
-        SingleSignOnEntry entry = lookup(cookie.getValue(), version);
+        SingleSignOnEntry entry = lookup(cookie.getValue(), version, request.getContext().getLoader().getClassLoader());
         if (entry != null) {
             if (logger.isLoggable(Level.FINE)) {
                 logger.log(Level.FINE, LogFacade.FOUND_CACHED_PRINCIPAL,
@@ -443,7 +444,7 @@ protected void deregister(String ssoId) {
         // Look up and remove the corresponding SingleSignOnEntry
         SingleSignOnEntry sso = null;
         synchronized (cache) {
-            sso = (SingleSignOnEntry) cache.remove(ssoId);
+            sso = cache.remove(ssoId);
         }
 
         if (sso == null)
@@ -492,7 +493,7 @@ private void processExpires() {
                 Iterator<String> it = cache.keySet().iterator();
                 while (it.hasNext()) {
                     String key = it.next();
-                    SingleSignOnEntry sso = (SingleSignOnEntry) cache.get(key);
+                    SingleSignOnEntry sso = cache.get(key);
                     if (sso.isEmpty() && sso.getLastAccessTime() < tooOld) {
                         removals.add(key);
                     }
@@ -581,6 +582,7 @@ private void threadStop() {
     /**
      * The background thread that checks for SSO timeouts and shutdown.
      */
+    @Override
     public void run() {
 
         // Loop until the termination semaphore is set
@@ -626,6 +628,7 @@ protected void removeSession(String ssoId, Session session) {
      *
      * @return Number of sessions participating in SSO
      */
+    @Override
     public int getActiveSessionCount() {
         return cache.size();
     }
@@ -636,6 +639,7 @@ public int getActiveSessionCount() {
      *
      * @return Number of SSO cache hits
      */
+    @Override
     public int getHitCount() {
         return hitCount.intValue();
     }
@@ -646,6 +650,7 @@ public int getHitCount() {
      *
      * @return Number of SSO cache misses
      */
+    @Override
     public int getMissCount() {
         return missCount.intValue();
     }

appserver/web/web-ha/src/main/java/org/glassfish/web/ha/authenticator/HASingleSignOn.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -113,7 +114,7 @@ public void associate(String ssoId, long ssoVersion, Session session) {
         if (debug >= 1)
             log("Associate sso id " + ssoId + " with session " + session);
 
-        HASingleSignOnEntry sso = (HASingleSignOnEntry)lookup(ssoId, ssoVersion);
+        HASingleSignOnEntry sso = (HASingleSignOnEntry)lookup(ssoId, ssoVersion, null);
         if (sso != null) {
             session.setSsoId(ssoId);
             sso.addSession(this, session);
@@ -127,8 +128,8 @@ public void associate(String ssoId, long ssoVersion, Session session) {
     }
 
     @Override
-    protected SingleSignOnEntry lookup(String ssoId, long ssoVersion) {
-        SingleSignOnEntry ssoEntry = super.lookup(ssoId, ssoVersion);
+    protected SingleSignOnEntry lookup(String ssoId, long ssoVersion, ClassLoader appClassLoader) {
+        SingleSignOnEntry ssoEntry = super.lookup(ssoId, ssoVersion, appClassLoader);
         if (ssoEntry != null && ssoVersion > ssoEntry.getVersion()) {
             // clean the old cache
             synchronized(cache) {
@@ -142,7 +143,7 @@ protected SingleSignOnEntry lookup(String ssoId, long ssoVersion) {
                 HASingleSignOnEntryMetadata mdata =
                     ssoEntryMetadataBackingStore.load(ssoId, null);
                 if (mdata != null) {
-                    ssoEntry = new HASingleSignOnEntry(getContainer(), mdata, ioUtils);
+                    ssoEntry = new HASingleSignOnEntry(getContainer(), mdata, ioUtils, appClassLoader);
                     cache.put(ssoId, ssoEntry);
                 }
             } catch(BackingStoreException ex) {

appserver/web/web-ha/src/main/java/org/glassfish/web/ha/authenticator/HASingleSignOnEntry.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -42,17 +43,18 @@ public class HASingleSignOnEntry extends SingleSignOnEntry {
 
     protected HASingleSignOnEntryMetadata metadata = null;
 
+    protected ClassLoader appClassLoader;
+
     // default constructor is required by backing store
     public HASingleSignOnEntry() {
-        this(null, null, null, null, null, 0, 0, 0, null, null);
+        this(null, null, null, null, null, 0, 0, 0, null, null, null);
     }
 
-    public HASingleSignOnEntry(Container container, HASingleSignOnEntryMetadata m,
-            JavaEEIOUtils ioUtils) {
+    public HASingleSignOnEntry(Container container, HASingleSignOnEntryMetadata m, JavaEEIOUtils ioUtils, ClassLoader appClassLoader) {
         this(m.getId(), null, m.getAuthType(),
                 m.getUserName(), m.getRealmName(),
                 m.getLastAccessTime(), m.getMaxIdleTime(), m.getVersion(),
-                ioUtils, m.getPrincipalBytes());
+                ioUtils, m.getPrincipalBytes(), appClassLoader);
 
         for (HASessionData data: m.getHASessionDataSet()) {
             StandardContext context = (StandardContext)container.findChild(data.getContextPath());
@@ -74,18 +76,19 @@ public HASingleSignOnEntry(String id, Principal principal, String authType,
             JavaEEIOUtils ioUtils) {
 
         this(id, principal, authType, username, realmName, lastAccessTime,
-            maxIdleTime, version, ioUtils, convertToByteArray(principal, ioUtils));
+            maxIdleTime, version, ioUtils, convertToByteArray(principal, ioUtils), null);
     }
 
     private HASingleSignOnEntry(String id, Principal principal, String authType,
             String username, String realmName,
             long lastAccessTime, long maxIdleTime, long version,
-            JavaEEIOUtils ioUtils, byte[] principalBytes) {
+            JavaEEIOUtils ioUtils, byte[] principalBytes, ClassLoader appClassLoader) {
 
         super(id, version, principal, authType, username, realmName);
         this.lastAccessTime = lastAccessTime;
         this.maxIdleTime = maxIdleTime;
         this.ioUtils = ioUtils;
+        this.appClassLoader = appClassLoader;
 
         if (principal == null && principalBytes != null) {
             this.principal = parse(principalBytes);
@@ -180,7 +183,24 @@ private Principal parse(byte[] pbytes) {
             bais = new ByteArrayInputStream(pbytes);
             bis = new BufferedInputStream(bais);
             ois = ioUtils.createObjectInputStream(bis, true, this.getClass().getClassLoader());
-            return (Principal)ois.readObject();
+
+            if (appClassLoader == null) {
+                return (Principal) ois.readObject();
+            }
+
+            try {
+                return (Principal) ois.readObject();
+            } catch (ClassNotFoundException e) {
+                closeSafely(bais);
+                closeSafely(bis);
+                closeSafely(ois);
+
+                bais = new ByteArrayInputStream(pbytes);
+                bis = new BufferedInputStream(bais);
+                ois = ioUtils.createObjectInputStream(bis, true, appClassLoader);
+
+                return (Principal) ois.readObject();
+            }
         } catch(Exception ex) {
             throw new IllegalStateException(ex);
         } finally {