Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9614

Make keystore optional in SSO configuration

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 11.0.0.Final
    • Security, Web (Undertow)
    • None

    Description

      Keystore is required [1], thus signing logout message by default.
      Questionable is if security brought by this is worth default command complexity as:

      • Integrity of messages could be achieved on node to node communication level
      • If message was not signed, attacker needs to know http session id to do a harm. Once attacker knows http session id, he can do a lot more useful attacks then logout user.

      Some long communication on topic occured on Wildfly Elytron hipchat room 2017-12-7 - 2017-12-11.

      [1] https://docs.jboss.org/author/display/WFLY/Web+Single+Sign-On

      Attachments

        Activity

          People

            Unassigned Unassigned
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: