Session Drops in Production After Upgrading to 2.2.1

seit.art.develop · April 1, 2024, 5:10pm

I’ve changed versions from 2.1 to 2.2.0 to 2.2.1 sequentially. On version 2.2.1 in production, the session started to drop suddenly and display the login page without any apparent pattern. It doesn’t matter who logs in, whether it’s admin or another role. If the session drops, sometimes when clicking on a dataGrid, I receive the following in the log:

Caused by: java.lang.IllegalStateException: ResourceRole not found by code: ANONYMOUS

When clicking in the menu tab area, it logs out to the login page.
The build for prod is done with:
./gradlew -Pvaadin.productionMode=true bootJar

In dev mode, no errors or such behavior are observed.
In prod, the application runs in Docker and is behind nginx with SSL, so the problem might be in the nginx rules.
Everything worked correctly on version 2.1.
I am seeking advice on what to look into.

PS: I’ve noticed a feature; if on the login page I check the “remember me” checkbox, then the session either drops immediately, meaning I have to log in a second time and then it works without issues, or the login and subsequent work proceed normally.

mbucan · April 2, 2024, 8:36am

Hello,

to begin, I would look into your applications Resource roles to see if there is a role with code “ANONYMOUS”, which could not be there, or maybe has a different code like “anonymous” or “Anonymous”.

If not found, then create the role and see what happens. Also, another approach is to find what is it that wants the resource role with code “ANONYMOUS”, search the project for the keyword.

Kind regards,
Mladen

seit.art.develop · April 2, 2024, 9:30am

Thank you for the ideas!
I believe the log entry “… ResourceRole not found by code: ANONYMOUS” is caused by the current session being killed, but there’s still an attempt to access the secured backend resource.
We need to investigate the reason behind the unexpected session’s behavior. It’s definitely related to the new version of Jmix 2.2.X.

mortoza_khan · April 3, 2024, 9:54am

I am also facing this issue. Are you using fireFox?

seit.art.develop · April 3, 2024, 10:15am

I tried with chrome and firefox the same result .
I created issue topic on russian forum, now Gleb trying to reproduce issue.

Слетает сессия в production после апгрейда до 2.2.1 - #10 от пользователя seit.art.develop - Вопросы и проблемы - Jmix

daniel.zweng · April 8, 2024, 8:50am

Same issue here (in multiple browsers).
I jumped straight from 2.1.3 to 2.2.1 and get the same error message. I tried reverting back to 2.2, but that version seems to be affected too.

gorbunkov · April 8, 2024, 1:52pm

Hy guys,

We found rejections of requests to /VAADIN/push with 403 error because of CSRF in the log. Could you try disabling the CSRF for this endpoint by registering the following bean and check whether it changes anything?

@Bean
@Order(JmixSecurityFilterChainOrder.FLOWUI - 10)
SecurityFilterChain vaadinPushFilterChain(HttpSecurity http) throws Exception {
    http.securityMatcher("/VAADIN/push/**")
            .authorizeHttpRequests(requests -> requests.anyRequest().permitAll())
            .csrf(csrf -> csrf.disable());
    return http.build();
}

seit.art.develop · April 8, 2024, 2:52pm

Good evening!
I did as you instructed.
The session no longer drops.
I sent the log to your private messages.

gorbunkov · April 9, 2024, 6:47am

Here is a Vaadin issue for this problem: VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request · Issue #19075 · vaadin/flow · GitHub

chicojeff · April 10, 2024, 1:29am

Do you think this problem and linked Vaadin bug fix would apply to the sporadic “invalid JSON” errors mentioned in communication-error-invalid-json-from-server-1-x and jmix-1-x-app-not-working-on-aws-communication-error-invalid-json-from-server-1-x ??

I have been having the invalid JSON error and found these NGINX log entries that correspond. They all had 403 response to POST /VAADIN/push, so this is why I thought they may be related. In my case there was a GET /VAADIN/push that received 101 and is immediately followed by the POST that receives 403.

My app is running on AWS Beanstalk w/ standard NGINX configuration.

Here are the sanitized entries from the NGINX log. There was nothing in the application log.

[09/Apr/2024:22:59:40 +0000] "GET /VAADIN/push?v-r=push&v-uiId=0&v-pushId=1b557a50-233f-4b89-8634-6fe69ba7be98&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=3.1.2-javascript&X-Atmosphere-Transport=websocket&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json;%20charset=UTF-8&X-atmo-protocol=true&X-Vaadin-LastSeenServerSyncId=0 HTTP/1.1" 101 51 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" "my IP address"

[09/Apr/2024:22:59:40 +0000] "POST /VAADIN/push?v-r=push&v-uiId=0&v-pushId=1b557a50-233f-4b89-8634-6fe69ba7be98&X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=9e157618-38d9-4cef-99f0-26ecd1ecdf3d&X-Vaadin-LastSeenServerSyncId=3 HTTP/1.1" 403 111 "https://server/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" "my IP address"

tomas.klems · April 10, 2024, 8:46am

Dear @chicojeff Jeff, I dont think it is related.
The “Invalid JSON” was there in Cuba, it is there in Jmix1.x and in Jmix2.x.

For AWS EB please refer to: