Wildfly HA cluster on k8s is showing 403 on login

134 views
Skip to first unread message

Avi Bhardwaj

unread,
Feb 27, 2023, 3:19:31 PM2/27/23
to WildFly
I am facing 403 Forbidden when running more than one replica of wildlfy. I have tried modifying standalone-full-ha.xml as follow but no effect:-

<stack name="tcp">

                    <transport type="TCP" socket-binding="jgroups-tcp"/>

                            <!--socket-protocol type="MPING" socket-binding="jgroups-mping"/>-->

                    <protocol type="org.jgroups.protocols.kubernetes.KUBE_PING" module="org.jgroups.kubernetes">

                        <property name="namespace">${env.MY_POD_NAMESPACE}</property>

                        <property name="masterHost">${env.KUBERNETES_SERVICE_HOST}</property>

                        <property name="masterPort">${env.KUBERNETES_SERVICE_PORT}</property>

                    </protocol>

                    <protocol type="MERGE3"/>

                    <socket-protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>

                    <protocol type="FD_ALL"/>

                    <protocol type="VERIFY_SUSPECT"/>

                    <protocol type="pbcast.NAKACK2"/>

                    <protocol type="UNICAST3"/>

                    <protocol type="pbcast.STABLE"/>

                    <protocol type="pbcast.GMS"/>

                    <protocol type="MFC"/>

                    <protocol type="FRAG3"/>

                </stack>


Please try to help asap as I am stuck with it since long..


Thanks

Avi Bhardwaj

Paul Ferraro

unread,
Feb 27, 2023, 5:11:36 PM2/27/23
to WildFly
Can you be more specific?  In what context are you facing a 403?  An application request?  Using the k8s API, e.g. kubectl?

Avi Bhardwaj

unread,
Feb 28, 2023, 1:55:28 AM2/28/23
to WildFly
I have an application that uses wildfly. And after logging into it I receive this but only when I have more than one replica of wildlfy application running:-
2B56C09E-3A19-4AE0-AFC8-D24548A9E57B_1_201_a.jpeg

Paul Ferraro

unread,
Feb 28, 2023, 5:24:31 PM2/28/23
to WildFly
A 403 suggests that your authenticated user is failing authorization for the requested resource.
Can you say more about your application's authentication/authorization configuration?

If I had to guess, I suspect that your load balancer is not configured to use any kind of session affinity.  Thus if a subsequent request is handled by a different replica than the one on which that user was authenticated, then your application is throwing a 403.  Does that sound right?

Avi Bhardwaj

unread,
Mar 1, 2023, 9:58:06 AM3/1/23
to WildFly
We are using keycloak for centralised access management. Keycloak is also clustered and is working fine. 

I have also implemented session affinity as an annotation to the ingress but no effect.. These are the annotations I have in ingress:-
more_set_headers "Access-Control-Allow-Origin: $http_origin";
nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS, DELETE, PATCH

Paul Ferraro

unread,
Mar 1, 2023, 12:52:31 PM3/1/23
to Avi Bhardwaj, WildFly
"We are using keycloak for centralised access management." tells me nothing about how your application is configured to propagate user identity between requests. Please be more specific.
Surely you have server/application configuration and server logs that can provide more context?

--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/KJ8-mSqpxbs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/f3955d01-a385-457a-a20b-ade6ddbf1465n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages