Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1314

Elytron, make scope of SPNEGO authentication configurable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Duplicate Issue
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.CR5
    • Component/s: None
    • Labels:
      None

      Description

      Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.

      This different approach can bring these behaviour differences after migration from legacy to Elytron:

      • if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
      • more frequent kerberos negotiation cycles
      • load balancer switches to another node (same http session, but new TCP connection)
      • new tab in browser (same http session, but new TCP connection) [2]

      [1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
      [2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: