The keepState Property in Payara Micro Doesn’t Work Fully
From what I understand, when keepState is set to true, the persistent session state should be maintained during redeployments. This means that when running in dev mode using mvn package payara-micro:dev, the login session should be preserved, and the caller principal and caller group should also be maintained.
Here is the log of the issue:
Steps Taken:
- Create a Project:
- Use Payara Starter to create a Payara Micro project.
- Select Maven, Java 21, Jakarta EE 10, Web Profile, Payara Micro 6.2024.7, and Form Authentication - Database.
- Run Dev Mode:
- Execute
mvn clean package payara-micro:dev.
- Log In:
- Open the “Secure Protected Page,” which shows the login screen.
- Log in with the user
myuser.
- Observe Behavior:
- The following actions work as expected:
- User can open “Secure Protected Page.”
- User gets a 403 Forbidden error when opening “Admin Page.”
- User can open “Secured Protected Resource.”
- User gets a 403 Forbidden error when opening “Secured Admin Resource.”
- Modify Source Code:
- Save changes to the source code.
- The code is automatically recompiled and redeployed.
- Observe Behavior After Redeploy:
- User gets a 403 Forbidden error when opening “Secure Protected Page.”
- User gets a 403 Forbidden error when opening “Admin Page.”
- User gets a 403 Forbidden error when opening “Secured Protected Resource.”
- User gets a 403 Forbidden error when opening “Secured Admin Resource.”
Question:
Is losing the caller group or role after redeployment the intended behavior of the keepState?
All session information, including caller groups and roles, should be preserved across redeployments.