Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
11.0.0.Final
-
None
Description
Keystore is required [1], thus signing logout message by default.
Questionable is if security brought by this is worth default command complexity as:
- Integrity of messages could be achieved on node to node communication level
- If message was not signed, attacker needs to know http session id to do a harm. Once attacker knows http session id, he can do a lot more useful attacks then logout user.
Some long communication on topic occured on Wildfly Elytron hipchat room 2017-12-7 - 2017-12-11.
[1] https://docs.jboss.org/author/display/WFLY/Web+Single+Sign-On