0

i've been facing a problem lately and i don't know how to handle it, or even what the problem might be coming from.

Tools:

-MYSQL(for data base)

-JAVA EE web application(to service as back-end)

-Jersey 2.26 dependency (to service as API on top of web application /CORS filter implemented)

-Apache Tomcat/7.0.69 ( as web server where web app sets )

-Angular 4 ( as website and client to the API)

-CentOS Linux release 7.3 (Core) (Server operating system )

Problem:

once the request is sent to the API ( to a specific secured Endpoint ) lets call it customers, Sometimes the response is 401 Unauthorized, and in other times it works just fine, from the angular website for instance, if press f12 and follow the requests, i send the same request again ( for the one i got 401 for ) but this time it works, the JWT is valid and it works just fine, and its not that there is too many request going to the server, even if its few sometimes i get 401, but most of the time it works great.

the only thing in the code that can return 401 is the authentication filter, which checks the validity of token, but it looks fine to me.

i checked this article that talks about 401 response, but still, its hard for me to grasp the idea why it works good sometimes and not work other times for the same request. i get the 401 while checking with the website and also with checking with postman. so i guess it's not a cache or cookies thing, but i might be wrong to assume this.

any ideas on what might be wrong ? or where should i be checking for bugs or errors ?

Thanks allot

Majd Mahajenah
  • 69
  • 10
  • what is the authentication scheme ? – Eugène Adell Mar 30 '18 at 11:31
  • Are you using the built-in Tomcat authentication or are you rolling your own using just the filter? If it is just the filter, comment out the `@WebFilter` annotation (or remove it from `web.xml` if you do not use annotations), then test it. If it works fine, its your filter's problem – vikarjramun Mar 30 '18 at 15:45
  • what is the authentication scheme ?, its basic auth, first user send username and password then he gets a token, he has to use the token inside the authorization header to be able to do stuff, there is a webfilter that checks the validity of the token itself, – Majd Mahajenah Apr 01 '18 at 05:36
  • Are you using the built-in Tomcat authentication or are you rolling your own using just the filter? yes i'm using my own filter, very similar to this one here [link](https://stackoverflow.com/questions/26777083/best-practice-for-rest-token-based-authentication-with-jax-rs-and-jersey) thanks for the advise i will try it out. – Majd Mahajenah Apr 01 '18 at 05:37
  • @vikarjramun i do not have a `@WebFilter` annotation and no mention of it in the web.xml, all i have is nameBiniding interface that looks like this `@NameBinding @Retention(RUNTIME) @Target({TYPE, METHOD}) public @interface Secured { } ` – Majd Mahajenah Apr 01 '18 at 05:53
  • @MajdMahajenah oh sorry I thought that it was a servlet filter. Just comment out everything in the filter method – vikarjramun Apr 01 '18 at 17:52
  • @vikarjramun thanks buddy really appreciate the help :). We upgraded the tomcat version. And used singlton annotation for the endpoints. That solved it for us. – Majd Mahajenah Apr 02 '18 at 06:21
  • @MajdMahajenah perfect. Sorry I couldn't be of any help – vikarjramun Apr 02 '18 at 12:47
  • @vikarjramun no man the effort is more than enough :) always discussing the problem with other people is good, thanks allot. – Majd Mahajenah Apr 03 '18 at 06:43

1 Answers1

0

Set tomcat security to false .

Karam Jabareen
  • 301
  • 1
  • 12